fix: tag_final must wait for verify_attestations

Ensures final tag is only created after attestation verification succeeds.
This enforces the security gate: verify before promoting.

On-behalf-of: Gerald Morrison (SAP) <gerald.morrison@sap.com>
Signed-off-by: Gerald Morrison (SAP) <gerald.morrison@sap.com>

Author: morrison-sap

.github/workflows/cli-release.yml

@@ -237,7 +237,7 @@ jobs:
   tag_final:
     name: Create and Push Final Tag
     if: ${{ github.event.inputs.release_candidate == 'false' && github.event.inputs.dry_run == 'false' }}
-    needs: [prepare, validate_final]
+    needs: [prepare, validate_final, verify_attestations]
     runs-on: ubuntu-latest
     permissions:
       contents: write