Closes #465

When publishing from the CLI, uses git rev-parse HEAD to determine which SHA to publish under. This doesn't affect the "trusted" SHA from GitHub that's used to key the storage buckets and make sure the publish can only occur during the GitHub job it's supposed to occur in. This allows workflows like ours at Svelte where we require maintainers to manually run publish workflows for changes coming from forks -- these workflows have to check out a specific SHA, and that works fine, but the resulting artifacts end up published to the SHA associated with main because workflow_dispatch workflow triggers start out at the tip of main.

I do note that we're now not using the response from /check, so it's really just an "exit early if the app isn't installed in this repository" check now, which I think would happen when we try to publish anyway. So... up to you if you want to remove that /check call altogether.

I'm unsure if this has any "breaking change" implications for other users... I guess technically if someone was relying on the current behavior it would be confusing for them, but I can't see a situation where you'd want to publish a checked-out commit under a different SHA...

I'm obviously no expert in this codebase, so if I'm being stupid with my approach, feel free to say so and I'll go away 😆