feat: auto-refresh checksums

[caarlos0]

This allows checksums to be "refreshed" at will.

The idea is, for instance, if your signing config replaces the original binary, you could have a config like this:

signs:
# replaces the archives with signed ones
- cmd: something
  args: ["etc"]
  artifacts: archive
# refresh the checksums and sign with cosign
- cmd: cosign
  stdin: '{{ .Env.COSIGN_PWD }}'
  args: ["sign-blob", "-key=cosign.key", "-output=${signature}", "${artifact}"]
  artifacts: checksum

The pre-requisite is to sign the checksum as well to trigger the refresh. Maybe we can refresh it always in the end anyway?

So, this now actually refreshes the checksums once the sign pipe finishes... which means that the checksums should always be up to date.

closes #1802

[codecov]

Codecov Report

Merging #2573 (67bb7f0) into main (f9687b4) will increase coverage by 0.05%.
The diff coverage is 95.52%.

@@            Coverage Diff             @@
##             main    #2573      +/-   ##
==========================================
+ Coverage   84.90%   84.95%   +0.05%     
==========================================
  Files         105      105              
  Lines        7901     7951      +50     
==========================================
+ Hits         6708     6755      +47     
- Misses        978      980       +2     
- Partials      215      216       +1     

Impacted Files	Coverage Δ
internal/pipe/sign/sign.go	96.87% <72.72%> (-1.48%)	⬇️
internal/artifact/artifact.go	98.59% <100.00%> (+0.23%)	⬆️
internal/pipe/blob/upload.go	77.30% <100.00%> (-0.28%)	⬇️
internal/pipe/checksums/checksums.go	100.00% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f9687b4...67bb7f0. Read the comment docs.