Generate checksums during package

[yaelharel]

Fixes #674.

[yaelharel]

Notes:

• I still need to edit draft-release.yml.
• The new "sha" files don't contain the files names as in pack because pack is using the shasum -a 256 command (and its output contains the file name) while lifecycle is doing it in tools/packager/main.go.

### pack:
cat pack-v0.20.0-linux.tgz.sha256 
1d879c8f99130b30e080153b1025ee51cfeddfb41612e5c257a89d3a358fc3c2  pack-v0.20.0-linux.tgz
### lifecycle
cat lifecycle-v0.11.2-172+6519163e+linux.x86-64.tgz.sha256 
05f86913fb7ec92e31f15126888b1636794be065ff1de044ff3ed08e1554da3e

I can add the file name to the file itself but I don't think it's necessary because the user can see it from the file name itself.

[yaelharel]

The Github Actions part was tested on my fork:

• build
• draft-release
• post-release

[natalieparellano]

Verified with https://github.com/yaelharel/lifecycle/releases/tag/v0.99999.0 (LOL version 0.99999.0 - I've been there!)

I think the pack .sha256 files have that formatting because they're using shasum. I don't know what is the value of having the filename as part of the file. Maybe we'd want to add a newline (so that it's more readable in a terminal). @jabrown85 do you have any strong preference here?

Worth noting that we'll be using new tags for the linux x86-64 lifecycle image (linux-x86-64 vs linux), but I don't think that matters because the endpoint for the manifest list hasn't changed.

$  cat lifecycle-v0.99999.0+linux.x86-64.tgz.sha256
37deb568d2af8ab3f0d475766a19ba0e1420d3e3067a11ed8ce5ce502a51b309
<added newline>
$  shasum -a 256 lifecycle-v0.99999.0+linux.x86-64.tgz  
37deb568d2af8ab3f0d475766a19ba0e1420d3e3067a11ed8ce5ce502a51b309  lifecycle-v0.99999.0+linux.x86-64.tgz

$  cat lifecycle-v0.99999.0+windows.x86-64.tgz.sha256
ec041437b43567c4734df3f0832b4d2af14b5d75801db4a4eccd2003cf8378e5
<added newline>
$  shasum -a 256 lifecycle-v0.99999.0+windows.x86-64.tgz  
ec041437b43567c4734df3f0832b4d2af14b5d75801db4a4eccd2003cf8378e5  lifecycle-v0.99999.0+windows.x86-64.tgz

$  docker run yaelharel/lifecycle:0.99999.0 /cnb/lifecycle/lifecycle -version
0.99999.0+92e9e8d
$  docker run -v lifecycle:/cnb/lifecycle yaelharel/lifecycle:0.99999.0 /cnb/lifecycle/lifecycle -version
0.99999.0+92e9e8d

[jabrown85]

I think the pack .sha256 files have that formatting because they're using shasum. I don't know what is the value of having the filename as part of the file. Maybe we'd want to add a newline (so that it's more readable in a terminal). @jabrown85 do you have any strong preference here?

I like adding a newline. It is what I've seen more often than not. I have also seen a single hashes.txt with a format like this:

lifecycle-v0.99999.0+linux.x86-64.tgz 37deb568d2af8ab3f0d475766a19ba0e1420d3e3067a11ed8ce5ce502a51b309
lifecycle-v0.99999.0+windows.x86-64.tgz ec041437b43567c4734df3f0832b4d2af14b5d75801db4a4eccd2003cf8378e5

I don't have a strong opinion on this though. As long as the hash is somewhere I'm confident the users who intend to verify will find a way :)

[yaelharel]

@natalieparellano @jabrown85, thanks for your feedback.
Natalie, you're right. As I wrote in this comment:

The new "sha" files don't contain the files names as in pack because pack is using the shasum -a 256 command (and its output contains the file name) while lifecycle is doing it in tools/packager/main.go.

I slightly prefer having a separate sha file for every os, so I'm going to add the newline as you requested.
Jesse, please let me know if you change your mind and you prefer that we'll have a single sha file and I'll make the change accordingly.

[yaelharel]

@natalieparellano @jabrown85, please see caaeff2 for the new line addition.
I didn't re-run the release process on my repository because I don't think it's necessary. If you think differently, please let me know and I'll do so.
Thanks!