fix: use cosign --bundle flag for SBOM signing (#213)

cosign v2+ deprecated --output-signature and --output-certificate in
favor of --bundle. The deprecated flags are silently ignored under the
new bundle format, causing 'create bundle file: open : no such file or
directory' because no --bundle path is provided.

Switch to --bundle and update the release asset list accordingly.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/workflows/release.yaml

@@ -207,8 +207,7 @@ jobs:
         shell: bash -Eeuo pipefail -x {0}
         run: |
           cosign sign-blob --yes \
-            --output-signature sbom.spdx.json.sig \
-            --output-certificate sbom.spdx.json.cert \
+            --bundle sbom.spdx.json.bundle \
             sbom.spdx.json
 
       - name: Generate install manifest and CRDs bundle
@@ -226,8 +225,7 @@ jobs:
             dist/install.yaml
             dist/crds.yaml
             sbom.spdx.json
-            sbom.spdx.json.sig
-            sbom.spdx.json.cert
+            sbom.spdx.json.bundle
 
       # Krew manifest update runs last with continue-on-error so a Krew
       # failure never blocks Docker images, signatures, or provenance.