ci: add tag-driven release workflow

[fheikens]

Summary

Adds a complete release workflow (.github/workflows/release.yml) triggered on v* tag pushes. Implements all six gates from the Elevarq release protocol.

Release pipeline

v* tag push
  → validate (tag ↔ VERSION file, prepare-release.sh --check-only)
  → test (integration, resilience, startup failure — against built image)
  → lint (hadolint, helm lint)
  → security-scan (Trivy fs + config + image, gitleaks)
  → publish (GHCR push, cosign sign, SBOM generation)
  → release (GitHub Release with SBOM attachment)

Gates enforced

Gate	Tool	Blocks release?
A. Correctness	prepare-release.sh, integration tests	Yes
B. Lint	hadolint, helm lint	Yes
C. Security	Trivy (CRITICAL/HIGH), gitleaks	Yes
D. Supply chain	Pinned actions, GHCR push	Yes
E. Artifact	cosign keyless signing, SBOM (SPDX)	Yes
F. Hygiene	CHANGELOG extraction, release notes	Yes

How to release

# 1. Update VERSION, CHANGELOG.md, Chart.yaml
# 2. Commit and push to main
# 3. Tag and push
git tag -a v0.3.0 -m "Release v0.3.0"
git push origin v0.3.0
# → workflow runs automatically

New capabilities

• Container images published to ghcr.io/elevarq/pgagroal
• Images signed with cosign (keyless, GitHub OIDC)
• SBOM (SPDX JSON) attached to every release
• Consumers can verify: cosign verify ghcr.io/elevarq/pgagroal:0.3.0 --certificate-identity-regexp='github.com/Elevarq/' --certificate-oidc-issuer='https://token.actions.githubusercontent.com'

🤖 Generated with Claude Code