Fix prerelease release signing in GitHub Actions

[Copilot]

The prerelease Actions job was failing during GoReleaser checksum signing because gpg was invoked in batch mode without access to the signing passphrase. This change wires the passphrase through the release workflows and updates the shared signing command to consume it non-interactively.

• Root cause

  • The workflow imported and unlocked the GPG key up front, but the later GoReleaser signing step ran gpg without a passphrase source.
  • Result: checksum signing failed with gpg: Sorry, we are in batchmode - can't get input.

• Workflow changes

  • Export GPG_PASS in all release-entry workflows that call task release:prod:
    • community beta
    • community release
    • pro self-hosted beta
    • pro self-hosted release

• GoReleaser signing

  • Update .goreleaser.yml so checksum signing reads the passphrase from stdin via --passphrase-fd 0 instead of expecting interactive input.
  • This keeps the fix centralized in the shared release config used by the affected workflows.

• Result

  • Prerelease publishing can complete checksum signing in CI without interactive GPG input.

signs:
  - cmd: sh
    args:
      - -c
      - |
        printf '%s' "$GPG_PASS" | \
        gpg -u "{{ .Env.GPG_KEY_ID }}" \
          --pinentry-mode loopback \
          --yes --batch \
          --passphrase-fd 0 \
          --output "${signature}" \
          --detach-sign "${artifact}"