Goreleaser incompatible with cosign v3

[rhamzeh]

We need to downgrade the version of cosign we are using, as this is blocking releases (see https://github.com/openfga/cli/actions/runs/19077645922/job/54497698890), causing it to fail with the following error:

Error: must provide --bundle with --signing-config or --use-signing-config

Root cause: goreleaser is not yet compatible with v3 of cosign (v3 announcement)

Solution for now, pin cosign to v2.x.

# ...
jobs:
  goreleaser:
    steps:
      # ...
      - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
        with:
          cosign-release: "v2.6.1"
      # ...
# ...

Ref: goreleaser/goreleaser#6195

[coderabbitai]

A summary of the changes CodeRabbit can apply:

• Update .github/workflows/main.yaml to pin cosign to v2.6.1 by adding with: cosign-release: "v2.6.1" in the goreleaser job (lines 157–159) and the verification-with-cosign job (lines 273–275), ensuring compatibility with goreleaser and preventing the bundle/signing-config error.

• Update .github/workflows/main.yaml to install Cosign via sigstore/cosign-installer in two workflow steps by adding a "with: cosign-release: "v2.6.1"" configuration (replacing the previous Install Cosign step).

• ✅ Create PR with these edits
• 📋 Get copyable edits