[DEFER] Add release signing and provenance attestations

## Summary
Add artifact signing and provenance attestations for release outputs.

## Scope
- Sign published GHCR images (keyless/OIDC preferred).
- Produce verifiable provenance attestations for released images/binaries.
- Publish verification guidance for downstream consumers.

## Acceptance criteria
- Release artifacts are signed and verifiable.
- Provenance attestation is generated and published with release outputs.
- Verification steps are documented in project docs.

## Notes
Deferred to keep current release workflow complexity manageable while SBOM rollout stabilizes.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DEFER] Add release signing and provenance attestations #33

Summary

Scope

Acceptance criteria

Notes

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[DEFER] Add release signing and provenance attestations #33

Description

Summary

Scope

Acceptance criteria

Notes

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions