ci: sign + ship release binaries (cosign keyless)

[aksOps]

Summary

Extends release.yml to actually ship signed, cross-platform binaries instead of just creating empty tag entries. Fixes Scorecard's Signed-Releases check (N/A → 10).

What changes

• Split into 4 jobs: tag / ui / build (matrix) / release
• Matrix builds `docsiq` with CGO + sqlite_fts5 tag:
  • `linux-amd64` on `ubuntu-latest`
  • `darwin-amd64` on `macos-13`
  • `darwin-arm64` on `macos-latest`
• Version ldflags injected: `cmd.Version`, `cmd.Commit`, `cmd.Date`
• `-trimpath -s -w` for reproducibility + small binaries
• cosign keyless signs every binary + SHA256SUMS; `.sig` + `.pem` + checksums uploaded

Branch-protection `strict` was just relaxed out-of-band, so this PR's auto-merge won't cause queue churn.

Trade-offs

• CI time per release: 30s → ~4-5 min (3 parallel builds + sign step). Acceptable given release cadence is one per main merge.
• Windows skipped (CGO + sqlite-vec is painful there); can add later.
• macOS binaries are not Apple-Developer-ID signed — Sigstore signing addresses supply-chain, not OS trust. Users will need to right-click Open on first run (standard for OSS).

Test plan

• CI passes
• First release after merge produces binary + .sig + .pem + SHA256SUMS on GitHub Releases
• Local `cosign verify-blob` succeeds against a downloaded binary