Add release workflow

Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>

Author: JAORMX

.github/workflows/release.yml

@@ -0,0 +1,87 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  release:
+    name: Release Container
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+
+      - name: Install Task
+        uses: arduino/setup-task@v2
+        with:
+          version: '3.x'
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install dependencies
+        run: task install
+
+      - name: Test
+        run: task test
+
+      - name: Setup Ko
+        uses: ko-build/setup-ko@v0.9
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract tag version
+        id: tag
+        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+
+      - name: Set repository owner lowercase
+        id: repo_owner
+        run: echo "OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+
+      - name: Build and push container
+        env:
+          KO_DOCKER_REPO: ghcr.io/${{ steps.repo_owner.outputs.OWNER }}/sqlite-mcp
+          VERSION: ${{ steps.tag.outputs.VERSION }}
+          CREATION_TIME: $(date -u +'%Y-%m-%dT%H:%M:%SZ')
+        run: |
+          # Build and push the container with reproducible build flags
+          ko build \
+            --bare \
+            --sbom=spdx \
+            --platform=linux/amd64,linux/arm64 \
+            --base-import-paths \
+            --tags $VERSION,latest \
+            ./cmd/server
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+
+      - name: Sign Image with Cosign
+        env:
+          KO_DOCKER_REPO: ghcr.io/${{ steps.repo_owner.outputs.OWNER }}/sqlite-mcp
+        run: |
+          TAG=$(echo "${{ steps.tag.outputs.VERSION }}" | sed 's/+/_/g')
+          # Sign the ko image
+          cosign sign -y $KO_DOCKER_REPO/server:$TAG
+
+          # Sign the latest tag if building from a tag
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            cosign sign -y $KO_DOCKER_REPO/server:latest
+          fi