fix(ci): pin develop checkout to workflow_run.head_sha and document sign-image prereq

  * `build-and-publish-develop.yml` now checks out
    `${{ github.event.workflow_run.head_sha }}` so the signed image and its
    SLSA provenance correspond to the exact commit that passed `Build/Test`,
    rather than whatever happens to be at develop's tip when this workflow
    runs. Without this, a second push to develop arriving before the
    publish job starts would cause the published/signed artifact to drift
    from the tested commit.
  * Extend the `sign-image` composite action's description to document the
    `actions/checkout` prerequisite. The action resolves the built commit
    via `git rev-parse HEAD` (intentional — on a tag push the release
    workflow checks out a branch whose tip may be ahead of the tag commit,
    so `github.sha` would record the wrong revision).

Signed-off-by: Warwick Peatey <warwick@automatic.systems>
Assisted-by: Claude Code

.github/actions/sign-image/action.yaml

@@ -1,8 +1,13 @@
 name: 'Sign Container Image'
 description: >-
   Sign a container image and attest SLSA v1 build provenance using cosign
-  keyless (Sigstore) with GitHub Actions OIDC. Requires `id-token: write` in
-  the calling job.
+  keyless (Sigstore) with GitHub Actions OIDC. Callers must check out the
+  source tree (e.g. `actions/checkout`) before invoking this action — the
+  built commit is resolved with `git rev-parse HEAD` so the attestation
+  records the revision that was actually built rather than `github.sha`,
+  which on a tag push reflects the tag-pointed commit and may differ from
+  the branch tip the release workflow checks out. The calling job must
+  have `id-token: write`.
 
 inputs:
     image:

.github/workflows/build-and-publish-develop.yml

@@ -27,6 +27,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v6.0.2
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
       - name: Set SHA
         id: sha
         run: |