Publish Helm plugin provenance artifacts in release pipeline

[Copilot]

Helm v4 verifies plugin provenance by default, but this repo only published .tgz plugin archives, causing installs to fail unless verification was explicitly disabled. This PR adds signed .prov artifacts to releases and updates install guidance accordingly.

• Release artifact signing (.goreleaser.yml)

  • Added a signs block for archive artifacts.
  • Generates Helm-compatible provenance files as ${artifact}.prov.
  • Signs a provenance message containing plugin.yaml metadata + files:<archive>=sha256:<digest> using GPG (clear-signed output Helm can verify).

• Release workflow secret wiring (.github/workflows/release.yaml)

  • Imports the release signing key for tagged releases.
  • Exposes GPG_FINGERPRINT and GPG_PASSPHRASE to GoReleaser.
  • Skips signing during snapshot/non-tag runs (--skip=sign) so CI snapshots remain runnable without release secrets.

• Docs update (README.md)

  • Removed the Helm 4 --verify=false workaround instruction.
  • Replaced with provenance-aware wording indicating .prov artifacts are published with releases.

signs:
  - artifacts: archive
    signature: "${artifact}.prov"