fix: use WithSecretVariable in Sign() for consistent credential handling

[Sypher845]

Description

Makes Sign() follow the same WithSecretVariable + shell expansion pattern already used by AttestSBOM().

• Fixes Sign() uses Plaintext(ctx) instead of WithSecretVariable for registry password #951

Before

┆ Secret.plaintext: String!
.
.
.
┆ withExec cosign sign ... --registry-password ***

After

┆ Container.withSecretVariable(name: "REGISTRY_PASSWORD", secret: Secret!)
.
.
┆ withExec sh -c 'cosign sign ... --registry-password $REGISTRY_PASSWORD ...'

Type of Change

• Bug fix
• New feature
• Refactor
• Documentation update
• Chore / maintenance

Changes

• Replaced Plaintext(ctx) extraction with WithSecretVariable("REGISTRY_PASSWORD", registryPassword)
• Pass password via $REGISTRY_PASSWORD shell variable instead of direct CLI argument
• Fixed fmt.Errorf format verb (%s → %v for a pointer nil-check)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 9.27%. Comparing base (60ad0bd) to head (ced8586).
⚠️ Report is 163 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##             main    #952      +/-   ##
=========================================
- Coverage   10.99%   9.27%   -1.72%     
=========================================
  Files         173     290     +117     
  Lines        8671   14597    +5926     
=========================================
+ Hits          953    1354     +401     
- Misses       7612   13117    +5505     
- Partials      106     126      +20     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.