With the current setup, every single day we download every single
artifact of evry single release we've ever made on GitHub, twice (once
from GitHub, once from GCS). Then we check signatures and compare the
two.
With this change, we save a representation of the state of both GCS and
GitHub, and if that representation hasn't changed, we assume the
artifacts haven't changed either. The assumption seems reasonable to me
as the representation includes platform timestamps, which no user can
tamper with as far as I'm aware.
Note: we do not save the entire GitHub release representation, and
instead just save relevant metadata for the associated artifacts. The
goal of this job is to verify that the artifacts haven't changed; it is
acceptable (and even expected in routine circumstances) that the
release description will change, as well as its "prerelease" and "latest
release" flags.