How are you signing your software? Gave GPG key to a github action?
Discussion
I download the tarballs locally on my laptop, compute checksums into manifest file and gpg sign the manifest file. Then I upload the manifest and signature asc file to the release.
https://github.com/sommerfelddev/sentrum/blob/master/utils/create-signed-manifest.sh
No way I would give github my pgp key lol.
Good to know you do that, so many devs just stuff it in the GH secrets