Sign GitHub releases using cosign

[mowies]

Goal

As a Keptn user, I want to be sure that the code I am downloading is actually the code that the maintainers released.

Details

Introduce some new steps in the release pipeline to use cosign to sign the release code archives for every release that happens.
This should be possible using cosign blob signing and attestation for the resulting files.

This should increase our security scores by OpenSSF.

DoD

• github code releases are signed
• signature and certificate are attached to each release going forward