fix(release): cosign v4 bundle format (#136)

v0.3.0 release run #25779630060 succeeded through the linux builds but
failed at the cosign signing step:

    Error: signing dist/checksums.sha256: create bundle file: open : no such file or directory

Root cause: cosign v4 deprecated `--output-signature` and
`--output-certificate` in favor of a single `--bundle` file (DSSE-
style envelope carrying both the cert and the sig). The deprecated
flags were silently ignored when the new bundle format was active,
leaving the output path unset — hence the empty filename in the
error.

Updates `.goreleaser.yml` to emit `<checksum>.cosign.bundle` and
points the verification recipes in README.md and
shared/runbooks/release-go.md at the new `--bundle` flag.

Verification command change:
- Before: --certificate <x>.pem --signature <x>.sig <x>
- After:  --bundle <x>.cosign.bundle <x>

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: aksOps

.goreleaser.yml

@@ -98,19 +98,21 @@ sboms:
 # supplies the OIDC token via `id-token: write`; cosign records the
 # signature transparency entry in Rekor (public Sigstore log). No
 # long-lived signing key required.
+#
+# Cosign v4 deprecated `--output-signature` and `--output-certificate`
+# in favor of a single `--bundle` file (DSSE-style). The bundle carries
+# both the signature and the cert; users verify with one flag.
 signs:
   - id: cosign
     cmd: cosign
     args:
       - sign-blob
       - '--yes'
-      - '--output-signature=${signature}'
-      - '--output-certificate=${certificate}'
+      - '--bundle=${signature}'
       - '${artifact}'
     artifacts: checksum
     output: true
-    certificate: '${artifact}.pem'
-    signature: '${artifact}.sig'
+    signature: '${artifact}.cosign.bundle'
 
 # Homebrew tap publish — opt-in via $HOMEBREW_TAP_GITHUB_TOKEN. When the
 # env var is empty (forks, dry runs), the upload is skipped so the same
@@ -152,10 +154,9 @@ release:
         # Checksum
         sha256sum -c checksums.sha256
 
-        # Signature (Sigstore keyless)
+        # Signature (Sigstore keyless, bundle format)
         cosign verify-blob \
-          --certificate checksums.sha256.pem \
-          --signature checksums.sha256.sig \
+          --bundle checksums.sha256.cosign.bundle \
           --certificate-identity-regexp 'https://github.com/RandomCodeSpace/codeiq/.github/workflows/release-go.yml@.*' \
           --certificate-oidc-issuer https://token.actions.githubusercontent.com \
           checksums.sha256

README.md

@@ -57,8 +57,7 @@ Verify (Sigstore keyless):
 ```bash
 sha256sum -c checksums.sha256
 cosign verify-blob \
-  --certificate checksums.sha256.pem \
-  --signature checksums.sha256.sig \
+  --bundle checksums.sha256.cosign.bundle \
   --certificate-identity-regexp 'https://github.com/RandomCodeSpace/codeiq/.github/workflows/release-go.yml@.*' \
   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
   checksums.sha256

shared/runbooks/release-go.md

@@ -54,10 +54,9 @@ End-users should verify both checksum AND signature:
 # Checksum
 sha256sum -c checksums.sha256
 
-# Signature (Sigstore keyless — no key material needed locally)
+# Signature (Sigstore keyless, bundle format — no key material needed locally)
 cosign verify-blob \
-  --certificate checksums.sha256.pem \
-  --signature checksums.sha256.sig \
+  --bundle checksums.sha256.cosign.bundle \
   --certificate-identity-regexp 'https://github.com/RandomCodeSpace/codeiq/.github/workflows/release-go.yml@.*' \
   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
   checksums.sha256