I just noticed this: we upload the signing outputs (cert, sig, bundle, etc.), but never the actual inputs that they're produced from (unless they're the default release assets).

For example, here are the uploaded assets from a release of abi3audit: we have verification materials for the wheel and sdist, but the wheel and sdist are not themselves attached.

As a fix, we should attach every input we sign for. This shouldn't be a serious size/duplication issue, since GitHub's object storage will do deduplication for us under the hood.