I download the tarballs locally on my laptop, compute checksums into manifest file and gpg sign the manifest file. Then I upload the manifest and signature asc file to the release.

https://github.com/sommerfelddev/sentrum/blob/master/utils/create-signed-manifest.sh

No way I would give github my pgp key lol.