…ions

Move macOS Developer ID codesigning and Apple notarization off a local
Mac and into GitHub Actions, mirroring the Windows (Azure Trusted
Signing) flow, and fix a code-signing identifier regression.

New workflows:
- release-macos.yml (dispatch-only): downloads the …-darwin_unnotarized
  binary from the draft release, codesigns it, notarizes it, then
  cosign-signs and attests the final notarized bytes and uploads them.
  Kept separate from release.yml so it can be re-run independently when
  Apple notarization hangs.
- check-notarization-status.yml (dispatch-only): inspects a notary
  submission by id (status + log) for hung builds.
- test-macos-signing.yml: end-to-end smoke test (goreleaser snapshot
  build, then codesign + notarize the test binary), mirroring
  test-build.yml. Nothing is published.

release.yml: stop cosign-signing/attesting the unnotarized darwin
bytes; that now happens in release-macos.yml against the bytes users
actually download.

Fixed code-signing identifier: codesign is invoked with
--identifier stepsecurity-dev-machine-guard so the designated
requirement stays stable across versions. Previously it defaulted to
the versioned filename, which changed every release and broke MDM
PPPC/TCC Full Disk Access profiles that match by identifier.
test-macos-signing.yml asserts the embedded identifier so this can't
recur.

Notarization hang handling: the submission id is always printed before
a 5-minute bounded wait; on timeout the run fails with the id so it can
be checked and re-run without resubmitting.

Certificate expiration: both signing workflows print the Developer ID
cert expiry, warn at 30 days, and fail if already expired.

docs/release-process.md documents the new three-workflow process, the
required signing secrets, and the fixed identifier.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>