CI: Sign all binary artifacts, not just release artifacts

[RyanGlScott]

Currently, the CI only signs binary artifacts if they correspond to a full-blown release. (See here). I propose that we instead sign binary artifacts on every commit, not just releases, for the following reasons:

1. Always signing binaries gives us more confidence that the CI process is working correctly.
2. If something goes wrong with a release, it's handy to be able to download a binary artifact from an adjacent commit and have everything signed already.
3. The .sig files that are produced are incredibly small (~500 bytes), so there no real file size penalty for including them.

See also GaloisInc/cryptol#1355.