[feature request] Enable immutable releases

[martincostello]

Package

None

Is your feature request related to a problem?

To improve the security and integrity of the release process, we should enable Immutable releases.

The prevents tags associated with releases being deleted and release artifacts from being tampered with.

We already create releases as drafts:

opentelemetry-dotnet/build/scripts/post-release.psm1

Lines 93 to 98 in ec24ad0

	gh release create $tag $releaseFiles `
	--title $tag `
	--verify-tag `
	--notes $notes `
	--prerelease `
	--draft

opentelemetry-dotnet/build/scripts/post-release.psm1

Lines 111 to 116 in ec24ad0

	gh release create $tag $releaseFiles `
	--title $tag `
	--verify-tag `
	--notes $notes `
	--latest `
	--draft

We would just need to ensure that any files required are attached to the release before the release is published here:

opentelemetry-dotnet/build/scripts/post-release.psm1

Line 262 in ec24ad0

gh release edit $tag --draft=false

What is the expected behavior?

Releases are immutable, which appear in the UI similar to below:

Which alternative solutions or features have you considered?

None.

Additional context

open-telemetry/sig-security#164

Tip

_{React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.}

[Kielek]

I would go with contrib repositories first.
It will be easier to E2E tests it. When settled, we can propagate here.