fix(ci): authenticate docker so cosign can sign the published chart (#253)

`helm registry login` writes to helm's own config
(~/.config/helm/registry/config.json), which cosign doesn't read.
After `helm push` succeeds, the subsequent `cosign sign` against the
just-published OCI subject fails with `UNAUTHORIZED: unauthenticated`
because cosign reads ~/.docker/config.json instead.

Add a docker/login-action step alongside the helm registry login (same
pattern operator-ci.yaml uses for signing operator images) so cosign
can upload the .sig layer and the cyclonedx SBOM attestation to the
same ghcr.io repository.

Surfaced when publishing chart/v0.16.0 once the prior `helm push` stderr
parsing fix (PR #249) let the workflow reach the cosign step.

Signed-off-by: Alex Yuskauskas <ayuskauskas@nvidia.com>

Author: ayuskauskas

.github/workflows/release.yml

@@ -172,6 +172,16 @@ jobs:
           echo "${{ secrets.GITHUB_TOKEN }}" \
             | helm registry login ghcr.io --username "${{ github.actor }}" --password-stdin
 
+      # cosign reads ~/.docker/config.json; helm registry login writes its own
+      # config so cosign can't see those creds. Authenticate docker too so the
+      # downstream sign/attest steps can upload the .sig and SBOM layers.
+      - name: Log in to ghcr.io (docker, for cosign)
+        uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Push chart to ghcr.io
         id: push-chart
         env: