ci: restore arm64 releases and harden macOS release signing

[mchv]

Linked issues

• Fixes build: automate macOS codesign + notarization via GitHub Actions #94
• Follow-up to ci: publish Intel macOS release binaries #149

Summary

This PR fixes the regressions introduced by #149 and hardens the macOS release path without changing the installer contract.

It does five things:

• restores codedb-linux-arm64 to the release matrix so ARM Linux installs keep working
• scopes Apple signing and notarization secrets to macOS-only steps instead of exposing them to Linux matrix legs
• adds notarization for macOS release binaries before upload, so GitHub Releases matches the documented "codesigned + notarized" path
• keeps workflow_dispatch compatible with older tags such as v0.2.53 by guarding the -Dcodesign-identity build option and fetching the notarization helper from main
• replaces the hand-rolled certificate import block with Apple’s official apple-actions/import-codesign-certs action and moves notarization logic into scripts/notarize-macos.sh

Files touched

• build.zig
• .github/workflows/release-binaries.yml
• scripts/notarize-macos.sh

Why this is needed

Before this branch:

• the release workflow from ci: publish Intel macOS release binaries #149 stopped publishing codedb-linux-arm64
• macOS assets were being uploaded without notarization
• Apple signing/notary secrets were available to non-macOS matrix legs
• manual rebuilds of older tags would fail once the workflow started relying on newer repo-only helpers or newer build.zig options

After this branch:

• release automation publishes codedb-darwin-x86_64, codedb-darwin-arm64, codedb-linux-x86_64, and codedb-linux-arm64
• macOS assets are signed with runtime/timestamp options and sent through notarytool before upload
• Apple secrets are limited to the macOS steps that actually consume them
• workflow_dispatch can still rebuild older tags while using the current notarization helper from main

Implementation notes

• build.zig now supports a configurable codesign-identity option and adds --options runtime --timestamp when using a real identity instead of ad-hoc signing.
• The macOS workflow path uses apple-actions/import-codesign-certs@v5 for certificate import.
• The workflow only passes -Dcodesign-identity when the checked-out tag’s build.zig supports that option.
• For legacy tags, the workflow fetches scripts/notarize-macos.sh from the current default branch before running the notarization step.

Checks run

• git fetch upstream
• branch created from current upstream/main
• git cherry-pick 8b25224
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/release-binaries.yml")'
• bash -n scripts/notarize-macos.sh

Notes

• no generated files, lockfiles, or benchmark artifacts changed
• this PR contains only the follow-up fixes that missed ci: publish Intel macOS release binaries #149 plus the subsequent review-driven cleanup commits
• this submission matches CONTRIBUTING.md

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3c8559574f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[mchv]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a97a29f994

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[mchv]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cdf459f1e1

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Pin notarization helper download to immutable ref

This step pulls scripts/notarize-macos.sh from a mutable branch tip and that script is later executed in the notarization step with APPLE_API_* secrets, so historical tag rebuilds can run different code than what was reviewed for the tag. If default-branch content changes (accidentally or maliciously), the workflow can leak notarization credentials or alter signing behavior without any change to the release tag being rebuilt. Use an immutable ref (for example, a specific commit SHA tied to the workflow revision) before executing the helper with secrets.

Useful? React with 👍 / 👎.