Update GPG documentation

[sheerlox]

As the GPG documentation on this plugin's README is getting a bit old, does not mention a good GitHub Actions solution, and is a bit confusing, it would benefit from being refreshed.

Worth mentioning that if we progress towards getting semantic-release/semantic-release#1871 merged, it would be worth moving the GPG instructions directly into the web documentation (maybe even preemptively).

Things that could/should be included in the future documentation:

• crazy-max/ghaction-import-gpg as discussed in GPG Signatures Configuration #438.
• to meet the "require verified commits" branch protection requirement, the documentation suggests adding the generated GPG key to the account owning the GitHub token used for release, which is hazardous, given a user with push access to the repository could then retrieve it and use it to impersonate you. That approach would be secure only if using a dedicated bot account (ideally per repository).
• the issue above would not apply to signing tags, because the branch protection rule does not apply to them

[AliSajid]

I'd be happy to send a pull request for updated documentation. I've experimented with this before and was blocked because of the infinite hang issue.

Can you please clarify what you mean about using a dedicated bot account? Would the action itself be performed by a bot-account, using their GPG credentials as opposed to using a regular user?

[sheerlox]

Can you please clarify what you mean about using a dedicated bot account? Would the action itself be performed by a bot-account, using their GPG credentials as opposed to using a regular user?

"bot account" in this context refers to a regular GitHub account used only by the semantic-release CI. It increases the security of the maintainer's account by not adding a GPG key used in a CI process to their own GitHub account because, in case that key ever gets compromised, it cannot be used to impersonate the maintainer.

[AliSajid]

Thank you. For my own purpose, I already have a dedicated github account for bot-actions so this will be easy. I'll work on the docs and send a PR soon.