Please sign release tarballs and/or release tags

[ottok]

Hi!

While working on the Debian packaging for this Go program, I noticed that there are no *.asc signatures published at https://github.com/caarlos0/env/releases nor does the git tags in this project have signatures.

For better supply chain security, please consider signing both tags and release artifacts. Thanks!

[caarlos0]

will work on this when i have some time

[Juneezee]

The Debian Wiki provides step-by-step instructions for this: https://wiki.debian.org/Creating%20signed%20GitHub%20releases.

However, the steps on the Wiki page are manual. I suggest automating the process using GitHub Actions, for example, by storing the private key as a GitHub Actions secret.

[ottok]

The step to sign a release in https://wiki.debian.org/Creating%20signed%20GitHub%20releases is intentionally done locally on dev laptop to avoid leaking the private key to GitHub.