For additional security, we should build the release artifact again at "publish-release" time, and then compare it against the copy we have in the github release. This will allow us to verify a malicious actor hasn't replaced the artifact in the github release between staging the release and publishing it.
Considerations:
- the build environment will need to be identical to the "create-release-artifacts" (or we just call it again?)
- this will "slow down" releases because it'll take the full build time to create it. (maybe we could skip the validation steps though and just to the build and package)?
For additional security, we should build the release artifact again at "publish-release" time, and then compare it against the copy we have in the github release. This will allow us to verify a malicious actor hasn't replaced the artifact in the github release between staging the release and publishing it.
Considerations: