[Feature request] Enable "Immutable Releases" in Github settings

[sureshjoshi]

Immutable releases are now generally available in Github as of a month or two ago. I think it would be great to have that checkmark enabled on this repo:

This would generate a release attestation that can be verified with the GitHub CLI (or other mechanisms) via:

gh release verify --repo ... 1.2.3

and

gh release download --repo ... 1.2.3
gh release verify-asset --repo ... 1.2.3 ./some-awesome-file.txt

Now, functionally this is mostly just a SHA256 comparison and some signatures, so, 🤷🏽

I think the real value comes from immutable tags and immutable release assets. Release title and release notes are still editable.

The release page also gains this lock icon + "Immutable" label:

It does require a possible change to the release workflow (depending on how it's currently done), where the immutability happens on release "publish", so all assets need to be uploaded in "draft" releases, before it gets locked:
https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases#best-practices-for-publishing-immutable-releases

This is orthogonal to the Github Actions + supply chain integrity/attestation (aka. build provenance workflow) mentioned here (which would be nice, but would also require substantially more work):
#725

[pauliesnug]

Emojis reactions don't work for me, but +1