Add Cosign keyless signing for Harbor release artifacts

[Aloui-Ikram]

This PR added Cosign keyless signing for Harbor release artifacts to verify integrity and provenance of binaries.

Key Changes:

• Integrated Cosign keyless signing using GitHub OIDC tokens
• Automatic signing for offline and online installers
• Updated build and release workflows to handle .bundle signature files
• Added signature verification documentation
• Fixed duplicate flag issue in make/pushimage.sh

Testing & Verification

I have successfully tested these changes in a fork. https://github.com/Aloui-Ikram/harbor/releases/tag/v2.15.0-test-v2

1. Successful Workflow Execution
The Publish Release workflow successfully identifies the signed bundles and processes them alongside the main packages.

2. Verified Release Assets
The final release includes the .bundle files (verifiable signatures) alongside the offline and online installers.

Issue being fixed

Fixes #22367, #21156

Please indicate you've done the following:

• Well Written Title and Summary of the PR
• Label the PR as needed. "release-note/infra , needs/follow-up , target/2.15.0"
• Accepted the DCO. Commits without the DCO will delay acceptance.
• Made sure tests are passing and test coverage is added if needed.
• Considered the docs impact and opened a new docs issue or PR with docs changes if needed in website repository.

[bupd]

@Aloui-Ikram Thanks for your contribution, I have added suggestions for improvements.

[bupd]

I would also suggest to cleanup and squash your commits. 51 commits might be way too much for this change.

• also remove redundant commits
• Do a release on your forked repo. so i can verify the signed artifacts.

Thanks for picking this up. this has been sitting in my backlog for a while.

[reasonerjt]

@Aloui-Ikram

This was on my to-do list, but thanks for taking it over.
I'll double-check the PR. Ping me when it's ready.

[bupd]

@Aloui-Ikram can you remove the WIP from PR title.

@reasonerjt here is the release artifacats which you can take a look. https://github.com/Aloui-Ikram/harbor/releases/tag/v2.15.0-test-v2

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.85%. Comparing base (c8c11b4) to head (676e9f8).
⚠️ Report is 598 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main   #22578       +/-   ##
===========================================
+ Coverage   45.36%   65.85%   +20.48%     
===========================================
  Files         244     1073      +829     
  Lines       13333   116095   +102762     
  Branches     2719     2931      +212     
===========================================
+ Hits         6049    76455    +70406     
- Misses       6983    35399    +28416     
- Partials      301     4241     +3940     

Flag	Coverage Δ
unittests	65.85% <ø> (+20.48%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 987 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Aloui-Ikram]

@Aloui-Ikram

This was on my to-do list, but thanks for taking it over. I'll double-check the PR. Ping me when it's ready.
@reasonerjt Thank you. The PR is ready for your review.

[bupd]

@Aloui-Ikram Added a few more suggestions.

Also please do mark the comments as resolved after fixing it.

Thanks

[bupd]

@Aloui-Ikram please add fix #21156 to the pr description so this PR tracks that issue too.

[bupd]

/lgtm