Commit GPG signatures on release

[itchyny]

I improved the release job to GPG sign and commit the artifact signatures to the repository. Note that the secret names are slightly different from what is currently registered.

[nicowilliams]

Ok, let's test this. This should make a release for master, yes? I'll merge and find out!

[nicowilliams]

Thanks!

[itchyny]

This is triggered on pushing the release tag so maybe we can test with jq-1.7rc1. If you're busy I'll make a GPG key but what kind of key are you using? RSA 4096bits or ECC Curve25519?

[nicowilliams]

I just pushed a jq-1.7rc1 tag. If it works I'll make a new key since then I've nothing else to do for this :) :)

Now [if this works] I don't have to waste any time this weekend on this! Thank you!

[itchyny]

Sorry I should have emphasized that I changed the secret name. JQ_RELEASE_GPG_PRIVATE_KEY and JQ_RELEASE_GPG_PASSPHRASE.

[itchyny]

You don't need re-tagging. You can register the keys in the release environment with the new names, and approve https://github.com/jqlang/jq/actions/runs/5686058422 after that.

[itchyny]

@owenthereal approved without noticing this thread, but that's Okay. Firstly Nico registers the keys with the new names, and then Re-run https://github.com/jqlang/jq/actions/runs/5686058422 from failed, and approve it again.