ci: fix shellcheck exclude-path and cosign legacy bundle format

[ericwout-overheid]

Summary

Two unrelated CI fixes, both surfaced after security PR #3 landed. Bundled because the second one only became visible the first time we cut a release and is small.

1. shellcheck exclude-path (originally scoped fix)

• The redhat-plumbers-in-action/differential-shellcheck@v5.5.6 action does not accept ignored-paths; it logs ##[warning]Unexpected input(s) 'ignored-paths' and scans the vendored scripts anyway.
• With strict-check-on-push: true, SC2034/SC2046 warnings inside claude-sandbox/vendor/install-scripts/sdkman.sh fail the push job on main (run 25443956040).
• Renames the input to the documented exclude-path and uses a ** glob to actually skip the vendor tree, matching the :!:claude-sandbox/vendor/** filter already used in the other two jobs.

2. release-sign cosign legacy bundle format (added)

• cosign >= 2.5 enables --new-bundle-format by default, which silently ignores --output-signature / --output-certificate and then errors with create bundle file: open : no such file or directory because no --bundle path was provided.
• Repro: publishing release v0.1.0 triggered run 25457374576, which failed on the Sign archive with cosign keyless step for the same reason on both sign-blob calls.
• Fix passes --new-bundle-format=false on both calls so the existing .sig / .pem asset layout — and the consumer verification instructions in SECURITY.md — keep working without a bundle migration.

Test plan

• Ran shellcheck --severity=warning -x locally on the three tracked non-vendor scripts (entrypoint.sh, init-firewall.sh, install-docker.sh); all clean.
• Confirm the differential-shellcheck job on this PR no longer logs the "Unexpected input(s) 'ignored-paths'" warning.
• Confirm the job is green on push to main after merge.
• After merge, re-trigger release-sign for v0.1.0 via gh workflow run release-sign --ref main -f tag=v0.1.0 and confirm both sign-blob calls produce non-empty .sig / .pem assets.

🤖 Generated with Claude Code