Sign releases again

The new automation workflow doesn't sign the Git tag or the tarball as
we used to.  Since the tag is still created locally, sign it directly.

For signing the tarball; build it locally and compare the extracted
tarball with the one produced by GitHub.

Closes #11996

.github/workflows/release.yml

@@ -52,7 +52,10 @@ jobs:
           # Need history since the last release (i.e. tag) for stats.
           git fetch --tags
           git fetch --unshallow
-          sh -x ./build_tools/release-notes.sh >"$relnotes"
+          gpg_public_key_url=https://github.com/${{ github.actor }}.gpg
+          curl -sS "$gpg_public_key_url" | grep 'PGP PUBLIC KEY BLOCK' -A5
+          FISH_GPG_PUBLIC_KEY_URL=$gpg_public_key_url \
+            sh -x ./build_tools/release-notes.sh >"$relnotes"
           # Delete title
           sed -n 1p "$relnotes" | grep -q "^## fish .*"
           sed -n 2p "$relnotes" | grep -q '^$'