build: fix failing provenance job

.github/workflows/release-manual.yml

@@ -140,4 +140,6 @@ jobs:
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
     with:
       base64-subjects: "${{ needs.release.outputs.hashes }}"
-      upload-assets: true
+      upload-assets: true
+      compile-generator: true  # Self-contained build to avoid Rekor dependency issues
+

.github/workflows/release.yml

@@ -64,4 +64,6 @@ jobs:
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
     with:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
-      upload-assets: true
+      upload-assets: true
+      compile-generator: true  # Self-contained build to avoid Rekor dependency issues
+

docs/RELEASE_SETUP.md

@@ -164,6 +164,11 @@ Each release should include:
    - Verify GoReleaser configuration
    - Check workflow permissions
 
+4. **SLSA provenance generation fails (exit code 27)**:
+   - This is caused by external Rekor service unavailability
+   - Our workflows use `compile-generator: true` to avoid this dependency
+   - The generated provenance is still valid and secure
+
 ### Getting Help
 
 - GoReleaser docs: https://goreleaser.com