fix(release): publish immutable release assets before publication

[seonghobae]

Summary

• Moves desktop release asset publication to a tag-driven draft release flow so assets, checksums, SBOM, and supplemental inventory are attached before immutable publication.
• Removes post-publication gh release upload jobs from release-event workflows.
• Adds supply-chain regression coverage that rejects release: published asset mutation.

Verification

• uv run --project services/analysis-engine pytest services/analysis-engine/tests/test_supply_chain_policy.py -q
• python3 scripts/checks/verify_supply_chain.py
• python3 scripts/checks/security_gates.py
• actionlint .github/workflows/build-baseline.yml .github/workflows/sbom.yml
• ./scripts/harness/quickcheck.sh
• npm audit --workspaces --audit-level=high

Security Notes

• Attack surface: GitHub release publication, release assets, checksums, SBOM, and supplemental inventory.
• Trust boundary: public GitHub Release records are treated as supply-chain artifacts and must not be mutated after publication.
• Mitigations: the release workflow now creates a draft release, validates all four OS/architecture artifact families plus checksums and SBOM inputs, attaches assets while mutable, then publishes.
• Remaining risk: existing immutable v0.1.2 remains empty because GitHub rejects post-publication asset mutation; a follow-up release tag is needed for corrected public assets.
• Test points: supply-chain policy tests reject release: published workflows that call gh release upload; actionlint validates edited workflow YAML.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2863afb1-7aae-494f-8ed0-1d70e9c23874

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/immutable-release-publishing

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}