feat(ci): support signed release

[kotakanbe]

Currently, the “Signed releases” score in our OpenSSF Scorecard is zero, so we’d like to fix this.
https://scorecard.dev/viewer/?uri=github.com%2Ffuture-architect%2Fvuls

This pull request introduces changes to enable artifact signing using cosign in the GoReleaser workflow. The most important updates include adding permissions and steps for cosign in the GitHub Actions workflow and configuring cosign signing in the GoReleaser configuration.

GitHub Actions workflow updates:

• .github/workflows/goreleaser.yml: Added id-token: read and id-token: write permissions to enable cosign functionality. Included a step to install cosign using sigstore/cosign-installer.

GoReleaser configuration updates:

• .goreleaser.yml: Added a signs section to configure cosign for signing artifacts. This includes setting environment variables, specifying signature and certificate outputs, and defining the signing command and arguments.# What did you implement:

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

I haven’t tested it. Please proceed with the plan to run it in the next release and, if it doesn’t work, fix it on the spot.

Checklist:

• Write tests
• Write documentation
• Check that there aren't other open pull requests for the same issue/feature
• Format your source code by make fmt
• Pass the test by make test
• Provide verification config / commands
• Enable "Allow edits from maintainers" for this PR
• Update the messages below

***Is this ready for review?:***YES

[Copilot]

Pull Request Overview

This pull request introduces support for signed releases by integrating cosign into the release process.

• Adds a new "signs" section in the GoReleaser configuration to sign artifacts using cosign.
• Updates the GitHub Actions workflow with additional id-token permissions and a step to install cosign.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.goreleaser.yml	Introduces a new signs section to configure artifact signing with cosign.
.github/workflows/goreleaser.yml	Updates permissions for id-token and adds a Cosign installation step.

[Copilot]

Pull Request Overview

This PR introduces artifact signing using cosign to improve the “Signed releases” score for the project. Key changes include:

• Adding a signing configuration block in .goreleaser.yml to configure cosign.
• Updating the GitHub Actions workflow to include id-token permissions and a cosign installation step.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.goreleaser.yml	Added a "signs" block to configure cosign for artifact signing in the release process.
.github/workflows/goreleaser.yml	Updated permissions (id-token) and added a step to install cosign prior to other build steps.

Comments suppressed due to low confidence (1)

.goreleaser.yml:161

• Consider adding tests or verification procedures for the new cosign signing configuration to ensure that artifacts are signed correctly during a release.

signs:

[shino]

Suggested change

	- "sign-blob"
	- "--oidc-issuer=https://token.actions.githubusercontent.com"
	- "--output-certificate=${certificate}"
	- "--output-signature=${signature}"
	- "${artifact}"
	- "--yes"
	- "sign-blob"
	- "--oidc-issuer=https://token.actions.githubusercontent.com"
	- "--output-certificate=${certificate}"
	- "--output-signature=${signature}"
	- "${artifact}"
	- "--yes"

I prefer the indent style you wrote, but other parts in this file does not add indentation for list, hmm...

[shino]

Nice PR! Just add a tiny comment, other parts looks great!