build-git-installers: publish gpg public key

Update build-git-installers workflow to publish `microsoft/git`'s GPG public
key as part of each release. Add explanation for how to use this key to verify
the Debian package's signature to the README.

Author: ldennington

.github/workflows/build-git-installers.yml

@@ -630,11 +630,16 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write # required for Azure login via OIDC
     needs:
       - create-linux-artifacts
       - create-macos-artifacts
       - windows_artifacts
       - prereqs
+    env:
+      AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
+      GPG_PUBLIC_KEY_SECRET_NAME: ${{ secrets.GPG_PUBLIC_KEY_SECRET_NAME }}
+    environment: release
     if: |
       success() ||
         (needs.create-linux-artifacts.result == 'skipped' &&
@@ -677,6 +682,20 @@ jobs:
           name: linux-artifacts
           path: deb-package
 
+      - name: Log into Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Download GPG public key signature file
+        run: |
+          az keyvault secret show --name "$GPG_PUBLIC_KEY_SECRET_NAME" \
+            --vault-name "$AZURE_VAULT" --query "value" \
+            | sed -e 's/^"//' -e 's/"$//' | base64 -d >msft-git-public.asc
+          mv msft-git-public.asc deb-package
+
       - uses: actions/github-script@v6
         with:
           script: |