fix: use -W flag for minisign password input from stdin

[ramonclaudio]

Summary

• Add -W flag to all minisign commands to read password from stdin
• Remove MINISIGN_PASS environment variable approach that doesn't work
• Pipe password directly to minisign for all signing operations

Problem

The workflow was failing with "Password: get_password()" error because minisign doesn't recognize the MINISIGN_PASS environment variable. Minisign was waiting for interactive password input which fails in CI.

Solution

Use the -W flag which tells minisign to read the password from stdin instead of prompting interactively. This allows us to pipe the MINISIGN_PASSPHRASE secret directly to minisign.

Changes

• Updated all three minisign signing steps to use -W flag with piped password
• Package signing (.tgz files)
• SBOM signing (.sbom.* and .ms-spdx.json files)
• Attestation signing (.intoto.jsonl files)

Testing

This fix ensures the publish workflow can properly sign artifacts when using password-protected minisign keys in CI environments.