i understand your checklist might say that, but there is zero security difference here. the source of the breakpad code is not verified regardless of how it was obtained. you're basically describing "security laundering". further, you haven't described how the security chain of trust is actually maintained with a signed GH tag. it's trivial for anyone to generate a signed tag, but if you aren't actually verifying it against another trust source, it is completely meaningless.
i'm not against creating a signed tag (we're not going to do dedicated archives), i'm just pointing out that you've only described security theater thus far. security theater is exactly that -- theater.