refactor: update release process to remove COSIGN_PRIVATE_KEY and add certificate output

Author: ondbeh

.github/workflows/release.yaml

@@ -53,5 +53,3 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_KEY_PASSWORD}}

.goreleaser.yml

@@ -102,13 +102,13 @@ changelog:
 sboms:
   - artifacts: archive
 
-# sign checksums/archives using Cosign
 signs:
   - artifacts: checksum
     cmd: cosign
+    certificate: "${artifact}.pem"
     args:
       - "sign-blob"
-      - "--key=env://COSIGN_PRIVATE_KEY"
+      - "--output-certificate=${certificate}"
       - "--output-signature=${signature}"
       - "--yes"
       - "${artifact}"
@@ -119,6 +119,5 @@ docker_signs:
     cmd: cosign
     args:
       - "sign"
-      - "--key=env://COSIGN_PRIVATE_KEY"
       - "--yes"
-      - "${artifact}"
+      - "${artifact}"