Please add a source code archive to the github release assets

[wodev]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The rgithub elease assets for the step-kms-plugin does not contain a source code archive (step-kms-plugin_.tar.gz) including a Cosign signature like the releases for step-cli and step-certificates (step-ca)

Why is this needed?

The GitHub archives based on the tag does not produce a stable checksum hash which causes from time to time issues during the rebuild of alpine packages, Adding ithe source code archive file to the release artifacts provides a source code archive with a stable checksum which can be used a a source for packaging (for examle Apline Linux packages). Adding it to the checksumtxt and adding a cosign signatures improves the validation of the source code archive for the release.