PICARD-2691: provide signed source archives

[phw]

Summary

• This is a…
  • Bug fix
  • Feature addition
  • Refactoring
  • Minor / simple change (like a typo)
  • Other
• Describe this change in 1-2 sentences:

Problem

• JIRA ticket (optional): PICARD-2691

Since PyPI stopped providing signed source files we did no longer provide signed sources automatically.

Also we always relied on source files automatically generated by Github for our official release. This causes two source files to exist for Picard (on PyPI and official download). Also the Github generated source files are not stable. They can get regenerated later resulting in changed checksum.

Solution

• Re-activate GPG source file signing in the PyPI builds
• Extend the build to generate both tar.gz and zip
• Make the release-pypi workflow a dependency of the package workflow and publish the resulting artifacts (source archives .tar.gz and .zip + their signatures) on Github release

I did perform a full test deployment cycle on my fork (please ignore the version number mixup and old changelog here, this is still using old number). The workflow run is at https://github.com/phw/picard/actions/runs/5858950764/job/15884133636

See how the picard-sdist artifact contains the .asc signatures.

The deployment result is at https://github.com/phw/picard/releases/tag/release-2.9.1a0 I did a test release, but accidentally already cleaned it up. Anyway, it did successfully deploy the source artifacts to the Github release.

The source files provided there are picard-2.9.tar.gz and picard-2.9.zip, and the corresponding .asc files are also included.