Fix cosign install in CI supply-chain verification

Replace sigstore/cosign-installer action (stale SHA pin) with direct
binary download from GitHub releases for more reliable CI execution.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: SecAI-Hub

.github/workflows/ci.yml

@@ -148,7 +148,11 @@ jobs:
         run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
 
       - name: Install cosign (signing & attestation)
-        uses: sigstore/cosign-installer@3454372be43ec08971210d50303c1018d382600b # v3.8.2
+        run: |
+          COSIGN_VERSION="v2.4.3"
+          curl -sSfL "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64" \
+            -o /usr/local/bin/cosign
+          chmod +x /usr/local/bin/cosign
 
       - name: Verify SBOM generation (Go services)
         run: |