fix: update cosign signing to use bundle format for v3 compatibility (#783)

The release workflow was failing because cosign v3 no longer generates
separate .pem certificate files with --output-certificate. Updated to use
the new --bundle flag which combines certificate and signature into a
single .sigstore.json file.

Changes:
- Remove certificate field and --output-certificate flag from signs config
- Use signature field with .sigstore.json extension
- Remove deprecated COSIGN_EXPERIMENTAL=1 environment variable

Fixes #782

Signed-off-by: Engin Diri <engin.diri@ediri.de>

Author: dirien

.goreleaser.yaml

@@ -36,15 +36,12 @@ checksum:
 
 signs:
   - cmd: cosign
-    env:
-      - COSIGN_EXPERIMENTAL=1
-    certificate: '${artifact}.pem'
+    signature: '${artifact}.sigstore.json'
     args:
       - sign-blob
-      - '-y'
-      - '--output-certificate=${certificate}'
       - '--bundle=${signature}'
       - '${artifact}'
+      - '-y'
     artifacts: all
     output: true
 
@@ -98,14 +95,12 @@ docker_manifests:
 
 docker_signs:
   - cmd: cosign
-    env:
-      - COSIGN_EXPERIMENTAL=1
     artifacts: manifests
     output: true
     args:
       - 'sign'
-      - '-y'
       - '${artifact}'
+      - '-y'
 
 brews:
   - repository: