The golang build cache seems to only grow over time and is now causing
disk space issues on the release builder. Since the release build has to
build for targets that aren't built during other GH actions and our
releases are too far apart to be hitting the cache anyway we suspect the
cache doesn't actually help that much.
Removing it might mean the build takes a bit longer but at least won't
cause any problems with full virtual disks anymore.
Due to a misunderstanding of how the gpg command line options work, we
didn't actually create detached signatures because the --clear-sign
flag would overwrite that. We update our verification script to now only
download the detached signatures and verify them against the main
manifest file.
We also update the signing instructions.
To avoid leaking any sensitive information like Docker Hub credentials
because of compromised actions repositories, we use our own, vendored
actions for all steps that potentially touch sensitive information.
This commit adds another GitHub workflow that is activated for each
pushed tag. The release binaries are compiled from that tag for all
supported architectures. A new release in the GitHub repository is then
drafted for the tag and the finished binary packages are uploaded to
that release.