feat(ci): add ws-ckpt signing support in package-source action

[samchu-zsl]

Description

Extend the shared package-source GitHub composite action to support signing ws-ckpt release archives using the existing sign-skill.sh toolchain, mirroring the flow already implemented for os-skills and agent-sec-core. The original Step 4/5 signing steps are regrouped as numbered sub-steps (4.1/4.2/4.3) to make the three signing variants read as a single logical phase, and the downstream Summarize / Compute checksum / Upload artifact steps are renumbered to 5/6/7. When SKILL_SIGN_PRIVATE_KEY is not provided, a warning is emitted and the archive is published unsigned, matching the behavior of the other two components.

Related Issue

no-issue: extends existing CI signing flow to cover the ws-ckpt component; purely additive to the reusable composite action.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional change)
• Performance improvement
• CI/CD or build changes

Scope

• cosh (copilot-shell)
• sec-core (agent-sec-core)
• skill (os-skills)
• sight (agentsight)
• tokenless (tokenless)
• Multiple / Project-wide

Checklist

• I have read the Contributing Guide
• My code follows the project's code style
• I have added tests that prove my fix is effective or that my feature works
• I have updated the documentation accordingly
• Lock files are up to date (package-lock.json / Cargo.lock)

Testing

Change is limited to a reusable GitHub Actions composite action:

• YAML structure reviewed manually against the existing os-skills and agent-sec-core signing blocks for parity (condition, env, sign-skill.sh invocation, re-archiving, ARCHIVE_SIGNED flag, fallback warning).
• End-to-end verification will be performed on the next ws-ckpt release run that consumes this action; the unsigned fallback path is preserved when SKILL_SIGN_PRIVATE_KEY is absent, so existing component builds remain unaffected.

Additional Notes

• The new block assumes ws-ckpt archives expose a src/skills directory consumable by sign-skill.sh --batch, consistent with the other signed components.
• Step renumbering is comment-only and does not change runtime semantics of the existing steps.

[samchu-zsl]

Caution

This PR was generated and submitted by AI.
Please review all changes carefully before merging. Pay special attention to logic correctness, edge cases, and potential side effects.

[samchu-zsl]

Manual verification successful.