[westurner]

GitHub has package repos for hosting package downloads.

A SLSA Builder or Generator can sign packages and container images with sigstore/cosign.

It's probably also possible to build and sign a repo metadata index with GitHub release attachment URLs and host that on GitHub Pages, but at scale to host releases you need a CDN and release signing keys to sign the repo metadata, and clients that update only when the release attachment signature matches the per-release per-platform key; but the app store does that for you