chore(release): update SLSA provenance workflow and cosign signing configuration

- Switch SLSA GitHub generator workflow from v2 tag to main branch
- Expand cosign signing from checksum artifacts to all artifacts
- Update cosign args: use quoted flags, replace oidc-issuer with oidc-provider=github, reorder for consistency
- Remove duplicate signs section at end of .goreleaser.yaml

Author: rshdhere

.github/workflows/release-provenance.yaml

@@ -9,7 +9,7 @@ permissions:
 
 jobs:
   provenance:
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
     with:
       base64-subjects: |
         ${{ github.repository }}@${{ github.ref }}

.goreleaser.yaml

@@ -65,16 +65,16 @@ checksum:
   name_template: "checksums.txt"
 
 signs:
-  - artifacts: checksum
+  - cmd: cosign
     id: cosign
-    cmd: cosign
+    artifacts: all
     args:
       - sign-blob
-      - --yes
-      - --oidc-issuer=https://token.actions.githubusercontent.com
-      - --output-signature=${signature}
-      - --output-certificate=${certificate}
-      - ${artifact}
+      - "--yes"
+      - "--oidc-provider=github"
+      - "--output-signature=${signature}"
+      - "--output-certificate=${certificate}"
+      - "${artifact}"
 
 homebrew_casks:
   - name: vibecheck
@@ -100,13 +100,3 @@ homebrew_casks:
       name: "Vibecheck Bot"
       email: "bot@vibecheck.sh"
     commit_msg_template: "chore(brew): update vibecheck to {{ .Tag }}"
-
-signs:
-  - artifacts: checksum
-    cmd: cosign
-    args:
-      - sign-blob
-      - "--yes"
-      - "--output-signature=${signature}"
-      - "--output-certificate=${certificate}"
-      - "${artifact}"