Branch-protect the R8 release trust root: CODEOWNERS + protected v* tags (RFC-0001 R8 follow-up #4)

[saadqbal]

RFC-0001 R8 follow-up #4 (tracebloc/backend#889, epic tracebloc/backend#830). Needs repo-admin (filer has maintain, not admin).

Why

R8 (#281) uses cosign keyless signing — the trust root is literally "whatever the release workflow signs." So a change to the release workflow, the manifest generator, or the ability to publish a v* tag is a change to what gets trusted. These must require review.

Do

1. Extend .github/CODEOWNERS to require code-owner review on the trust-root files (set @owner to the platform/security owners):

   /.github/workflows/release-helm-chart.yaml   @owner
   /scripts/install.sh                           @owner
   /scripts/install-k8s.sh                       @owner
   /scripts/gen-manifest.sh                      @owner
   /scripts/manifest.sha256                      @owner
   /scripts/lib/                                 @owner
   

2. Branch protection on develop + main: require a PR review and "Require review from Code Owners" so those paths can't change unreviewed.
3. Protected tags: add a protected-tag rule for v* so only authorized actors can create/move release tags (the keyless signer identity is the tag-triggered release workflow).
4. (review nit, defense-in-depth) SHA-pin the signing-job actions in release-helm-chart.yaml (softprops/action-gh-release, sigstore/cosign-installer, actions/checkout).

Decision

Owner (@saadqbal) approved doing this (2026-06-25). Gate: have it in place before the first real signed release is trusted.

Refs: tracebloc/backend#830, tracebloc/backend#889, #281.