Fix release cosign install + incident-recorder race condition

- Add cosign install step to release provenance job (was missing,
  caused 'command not found')
- Fix data race in TestCreateIncident_TriggersContainment: guard
  shared freezeCalled bool with sync.Mutex (detected by -race flag)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: SecAI-Hub

services/incident-recorder/containment_test.go

@@ -228,10 +228,13 @@ func TestCreateIncident_TriggersContainment(t *testing.T) {
 	resetGlobalState(t)
 
 	// Set up a mock agent endpoint to receive freeze.
-	var freezeCalled bool
+	var mu sync.Mutex
+	freezeCalled := false
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path == "/api/v1/freeze" {
+			mu.Lock()
 			freezeCalled = true
+			mu.Unlock()
 		}
 		w.WriteHeader(http.StatusOK)
 	}))
@@ -258,5 +261,7 @@ func TestCreateIncident_TriggersContainment(t *testing.T) {
 
 	// Note: We can't reliably test that the async goroutine ran in unit tests,
 	// but the important thing is that createIncident calls executeContainment.
+	mu.Lock()
 	_ = freezeCalled
+	mu.Unlock()
 }