Fix prerelease GPG signing in release workflows

[Copilot]

The prerelease GitHub Actions job was failing during GoReleaser checksum signing because gpg was running in batch mode without access to the signing passphrase. This change wires the passphrase into the release path and updates signing to consume it non-interactively.

• Root cause

  • task release:prod invoked GoReleaser without providing the GPG passphrase needed for checksum signing.
  • The existing release workflows validated key import/unlock separately, but the GoReleaser signing step still prompted internally and failed in batch mode.

• Release signing

  • Updated .goreleaser.yml to pipe GPG_PASS into gpg and use --passphrase-fd 0.
  • Keeps signing non-interactive while avoiding passphrase exposure via process arguments.

• Workflow wiring

  • Exported GPG_PASS alongside GPG_KEY_ID in all workflows that call task release:prod:
    • pro_selfhosted_beta.yml
    • community_beta.yml
    • pro_selfhosted_release.yml
    • community_release.yml

• Behavioral impact

  • Prerelease and release jobs continue to use the existing GPG key flow.
  • The signing step now has the credentials it needs when GoReleaser creates checksum signatures.

signs:
  - cmd: sh
    args:
      - -c
      - |
        printf '%s' "$GPG_PASS" | gpg \
          -u "{{ .Env.GPG_KEY_ID }}" \
          --pinentry-mode loopback \
          --passphrase-fd 0 \
          --yes \
          --batch \
          --output "${signature}" \
          --detach-sign "${artifact}"