workflow: Pin cosign to v2.6.2 for legacy .sig tag compatibility

cosign-installer v4.1.1 installs cosign v3.0.5, which defaults to
OCI 1.1 referrers for storing signatures instead of the legacy
sha256-<digest>.sig tag format. image-rs inside the confidential
guest only supports the legacy .sig tag discovery, causing signature
verification to fail with "manifest unknown".

Pin cosign to v2.6.2 (latest v2 release) to produce .sig tags that
image-rs can find.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Made-with: Cursor

Author: fidencio

.github/workflows/build-test-containers.yaml

@@ -95,6 +95,7 @@ jobs:
       - name: Install cosign
         uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
         with:
+          cosign-release: 'v2.6.2'
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Import GPG key