Use annotated and GPG-signed tags for releases

[chicks-net]

Summary

All current release tags (v0.1 through v1.8) are lightweight (unsigned) tags, which means there is no cryptographic way to verify who created a tag pointing to a given commit. This is an enhancement to the release author identity verification documented in SECURITY.md.

What needs to change

1. Update just release in .just/gh-process.just to create annotated tags instead of relying on gh release create (which creates lightweight tags). The recipe should use git tag -a <version> at minimum, ideally git tag -s <version> if the maintainer has a GPG key configured.

2. Update documentation in SECURITY.md and README.md to include instructions for verifying tag signatures with git tag -v <version> once signed tags are in use.

3. Consider a fallback for maintainers who don't have GPG keys set up — perhaps an annotated tag without signing as a minimum bar, with signed tags as recommended.

Why

Annotated tags carry author, date, and message metadata. Signed tags additionally provide cryptographic proof of the tag creator's identity. This strengthens the "verifying release author identity" OpenSSF Best Practices requirement beyond what build attestations and DCO trailers provide today.

Acceptance Criteria

• just release creates annotated tags (or signed tags if GPG is configured)
• SECURITY.md includes git tag -v verification instructions
• CLAUDE.md updated to note that tags are annotated/signed
• Existing lightweight tags left as-is (no need to re-tag historical releases)