ci: sign and notarize macos builds via rcodesign + dry-run

[hmk]

Summary

Wires up macOS signing and notarization in the release pipeline using goreleaser's cross-platform notarize.macos block (backed by rcodesign, runs on Linux runners).

• New notarize block in .goreleaser.yaml, gated on isEnvSet "MACOS_SIGN_P12" so local snapshots without secrets still work.
• release.yml now pulls credentials from the release GitHub environment (5 secrets) and installs rcodesign before the goreleaser step.
• Adds a workflow_dispatch trigger with a dry_run boolean (default true) that runs goreleaser release --snapshot --clean --skip=publish and uploads dist/ as a 7-day artifact. Lets us test the full pipeline (including signing/notarization on darwin builds) without burning a real release.

How to test before merging

1. Merge this PR (the release environment secrets are scoped to main, so the dry-run needs to run from main).
2. Actions tab → Release → "Run workflow" → leave dry_run checked → run.
3. If the release environment has required reviewers, approve the deployment.
4. Watch the goreleaser job — successful notarization shows rcodesign lines completing for each darwin artifact.
5. Download dist-snapshot artifact, untar a darwin_arm64 build, and verify:

   codesign -dv --verbose=4 ./try
   spctl --assess --type execute -vv ./try
   

   Should show a Developer ID identity and "accepted source=Notarized Developer ID".

Notes

• The dry-run mode runs goreleaser in --snapshot, which uses a fake version like 0.1.1-next-SNAPSHOT-abc123. Real publish path is unaffected.
• rcodesign is pinned to v0.27.0; bump as needed.
• If the release environment isn't configured yet, the goreleaser job will fail with an environment-not-found error — set it up first under Settings → Environments.

🤖 Generated with Claude Code