Introduce unified manifest file

[fasterthanlime]

Closes #1321

This writes out unified checksum files like sha256.sum or sha512.sum (which are compatible with GNU-style sha256sum -c sha256.sum invocations) depending on which checksum style is chosen from the dist config.

It's a new global artifact which is built after all the local artifacts, re-using the checksums computed earlier. The plan is to eventually stop publishing individual checksum files like some-binary.sha256 and only publish the unified checksum file, which will reduce noise / make publishing faster, etc.

[mistydemeo]

Looking good! I popped this into BSD sha256sum, and confirmed it was happy using this as a check file.

I wonder if we might want to consider adding the hash file to the snapshots, so we can confirm the format stays stable? Not that I expect us to change code that modifies it often, but it feels roughly as snapshottable as the shell installers.

[fasterthanlime]

I wonder if we might want to consider adding the hash file to the snapshots, so we can confirm the format stays stable?

Just did that, which taught me about the snapshotting system for tests.

[mistydemeo]

Hm, I guess the NPM package hash isn't actually stable, is it?

If you're interested in learning about snapshot filtering, we could use that here to remove the unstable hash from the snapshots. Or we could punt on snapshotting the file contents at this point.

[fasterthanlime]

Just noting here that @ashleygwilliams asked me to document why the npm packages aren't stable — which I will do ~around merging this PR, because I'll probably just end up skipping/censoring the checksums from the snapshots for the time being.

[fasterthanlime]

Okay I guess none of our tars are stable right now so.. I'll just remove the unified manifest file from the snapshots for the time being? or just censor everything, but that's silly

[mistydemeo]

Right, I forget it doesn't hash the text installers, which are the things that would be stable. Yes, fine to drop it at this point.