publish-script: don't clobber COSIGN_PASSWORD with empty default

The previous form did

  COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" cosign sign-blob ...

which set COSIGN_PASSWORD to "" when the caller hadn't exported one.
cosign sees an explicit empty password and tries to decrypt with
it instead of prompting interactively, so any real password-protected
offline key fails with "decryption failed".

Drop the prefix entirely. If COSIGN_PASSWORD is already in env, it
gets inherited normally; if it isn't, cosign prompts on the terminal
— which is the right UX for a maintainer running the publish script
locally with the offline private key.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/publish-banger-release.sh

@@ -112,8 +112,12 @@ log "cosign sign-blob → SHA256SUMS.sig"
 #                               via crypto/ecdsa.VerifyASN1.
 # These flags also work on cosign v2.x, so the script is forward- and
 # backward-compatible across the v2→v3 boundary.
-COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" \
-    cosign sign-blob --yes \
+# If COSIGN_PASSWORD is set in the environment, cosign uses it.
+# Otherwise cosign prompts on the terminal — which is what we want
+# for a password-protected offline key. Don't pre-set it to empty:
+# that suppresses the prompt and makes cosign try to decrypt with
+# the empty password, failing with "decryption failed".
+cosign sign-blob --yes \
     --key "$COSIGN_KEY" \
     --use-signing-config=false \
     --tlog-upload=false \