chore: enhance GoReleaser configuration and GitHub Actions workflows for GPG signing

- Added GPG signing configuration to .goreleaser.yml to support artifact signing.
- Updated auto-tag.yml and release.yml to include necessary secrets for GPG signing, enhancing security and functionality.
- Ensured that GPG keys and passphrase are conditionally utilized in the release process.

.github/workflows/auto-tag.yml

@@ -51,4 +51,7 @@ jobs:
     needs: auto-tag
     uses: ./.github/workflows/release.yml
     permissions: write-all
-    secrets: inherit
+    secrets:
+      RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      PASSPHRASE: ${{ secrets.PASSPHRASE }}

.github/workflows/release.yml

@@ -2,6 +2,13 @@ name: Release
 
 on:
   workflow_call:
+    secrets:
+      RELEASE_TOKEN:
+        required: true
+      GPG_PRIVATE_KEY:
+        required: false
+      PASSPHRASE:
+        required: false
   push:
     tags:
       - "v*"
@@ -38,7 +45,7 @@ jobs:
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
-        if: ${{ env.GPG_PRIVATE_KEY != '' }}
+        if: ${{ secrets.GPG_PRIVATE_KEY != '' }}
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4

.goreleaser.yml

@@ -95,3 +95,12 @@ release:
 
 snapshot:
   name_template: "{{ incpatch .Version }}-next"
+
+signs:
+  - cmd: gpg
+    args:
+      - "--output"
+      - "${signature}"
+      - "--detach-sign"
+      - "${artifact}"
+    artifacts: checksum