Streamline SBOM generation and cosigning

[erichs]

.goreleaser.yaml:

• Checksums renamed to checksums_linux.txt
• Removed archive SBOM generation (source SBOM generated in workflow instead)

.github/workflows/release.yml:

• Install syft dependency
• goreleaser job generates dashlights__source.sbom.json from source
• darwin-release uses checksums_darwin.txt (no longer modifies goreleaser output)
• darwin-release signs checksums_darwin.txt with cosign

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.10%. Comparing base (dc5cc85) to head (4c4ecb5).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #46      +/-   ##
==========================================
- Coverage   87.14%   87.10%   -0.05%     
==========================================
  Files          46       46              
  Lines        2474     2474              
==========================================
- Hits         2156     2155       -1     
- Misses        218      220       +2     
+ Partials      100       99       -1     

Flag	Coverage Δ
unittests	87.10% <ø> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR streamlines the SBOM generation and artifact signing process for releases by generating a source-based SBOM that includes actual Go dependencies, separating platform-specific checksums, and adding cosigning for Darwin artifacts.

• Replaced archive-based SBOM generation with source-based SBOM generation that captures go.mod dependencies
• Separated checksums into platform-specific files (checksums_linux.txt and checksums_darwin.txt) instead of maintaining a single merged file
• Added cosign signing for Darwin checksums using keyless signing with GitHub OIDC identity

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.goreleaser.yaml	Renamed checksum file to checksums_linux.txt and removed archive SBOM generation in favor of manual source SBOM generation
.github/workflows/release.yml	Added Syft installation and source SBOM generation in goreleaser job; added Cosign installation, checksum signing, and signature upload in darwin-release job

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.