Allow to upload packages by creating and pushing a signed git tag

The problem

While most packages are maintained in git, uploading them to the archive requires an extra dput still. This makes git and the sources in the archive disconnected.

Actual situation

Having git and the archive disconnected has several problems:

• The sources in the archive don't necessarily match the git tag for that version.
• The developer has to perform extra steps

Expected situation

It would be great if pushing a signed git tag would be sufficient to trigger a build of the binary packages. The "source of truth" would be the git archive. E.g. a

git tag -s <tag> && git push origin <tag>

should be sufficient to release a package into Debian. This would make sure

• git clone gives you exactly what's in the archive
• There's no way to accidentally have sources that don't match git hence e.g. don't reproduce certain bugs
• we'd have all the gitlab-ci etc as qa (we could even only let the tag through if it passes)

Additional information

I left the above pretty vague on purpose since the fact if we want to generate a dsc + tarball and still maintain the "archive" or if all sources should live in a blessed git instance should be discussed. Basically the only requirement would be that what the developer tags is 1:1 what is used to build the package.