chore(release): bump to v0.5.0 — forge fetchers + sigstore live

Two substantial additions:

- forge: per-type release-asset URL resolvers (github, gitlab,
  codeberg, gitea, bitbucket) shipped alongside the schema field
  added in v0.4.0
- sigstore: keyless GitHub Actions OIDC signing implemented per
  ADR-0001; dry_run=False now invokes the sigstore CLI

136 tests pass (forge: +18); ruff + mypy strict clean. Build clean.

Author: imanimanyara

CHANGELOG.md

@@ -6,6 +6,31 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 ## [Unreleased]
 
+## [0.5.0] - 2026-05-16
+
+### Added
+
+- **Forge per-type fetchers** (`36e4daa`): `src/get_installer/forge.py`
+  parses the registry.json `forge` block and builds release-asset
+  URLs for github, gitlab, codeberg, gitea, and bitbucket. 18 new
+  tests cover parse + per-forge URL builders + dispatcher.
+  Bundled into single-file installer.py via the bundler's
+  MODULE_ORDER.
+- **Sigstore signing — live implementation** (`36e4daa`):
+  `verify.sign_bundle_with_sigstore` is no longer a stub. Per
+  ADR-0001 (docs/adr/0001-sigstore-key-management.md), uses the
+  GitHub Actions workflow OIDC keyless flow via the `sigstore`
+  CLI. 120s timeout, raises `SecurityError` on Fulcio/Rekor
+  unreachable. `--apply` is implemented; existing `dry_run=True`
+  default behaviour unchanged.
+
+### Architecture decisions
+
+- **ADR-0001** (`docs/adr/0001-sigstore-key-management.md`)
+  records the keyless-signing decision, the verification command
+  with `--cert-identity` URL, and the rotation-not-applicable
+  rationale.
+
 ## [0.4.0] - 2026-05-16
 
 ### Added

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "get-installer"
-version = "0.4.0"
+version = "0.5.0"
 description = "Reusable, registry-driven curl-pipe-sh-style installer for distributing dev tools across public, private, enterprise, and government contexts."
 readme = "README.md"
 license = { file = "LICENSE" }