Fix release build again (#1400)

* Fix build again

* Recommend (r)age over minisign password

* Dry-run the entire release process

* Reorg a bit so dry-run works

* Fix secret name

* Add check on age key

* Pass secrets down

* Use a cross-platform "date"

* Delete signing key artifact to be extra safe

* Last little bits

.github/scripts/ephemeral-gen.sh

@@ -2,21 +2,12 @@
 
 set -euxo pipefail
 
-cargo binstall -y rsign2
+cargo binstall -y rsign2 rage
 rsign generate -f -W -p minisign.pub -s minisign.key
 
-cat >> crates/bin/Cargo.toml <<EOF
-[package.metadata.binstall.signing]
-algorithm = "minisign"
-pubkey = "$(tail -n1 minisign.pub)"
-EOF
-
-echo "public=$(tail -n1 minisign.pub)" >> "$GITHUB_OUTPUT"
-cp minisign.pub crates/bin/minisign.pub
-
 set +x
 echo "::add-mask::$(tail -n1 minisign.key)"
-echo "private=$(tail -n1 minisign.key)" >> "$GITHUB_OUTPUT"
 set -x
 
+rage --encrypt --recipient "$AGE_KEY_PUBLIC" --output minisign.key.age minisign.key
 rm minisign.key