Enable code signing on GH Actions

[seanbudd]

Link to issue number:

Part of #17878

Summary of the issue:

Code signing is missing from GitHub actions, which needs to be added to have full parity to AppVeyor

Description of user facing changes

None

Description of development approach

Set in api signing token in GitHub secrets, create a signed build if appropriate

Testing strategy:

• Ensure a try build based on this PR is signed: https://github.com/nvaccess/nvda/actions/runs/15868127863

Known issues with pull request:

None

Code Review Checklist:

• Documentation:
  • Change log entry
  • User Documentation
  • Developer / Technical Documentation
  • Context sensitive help for GUI changes
• Testing:
  • Unit tests
  • System (end to end) tests
  • Manual testing
• UX of all users considered:
  • Speech
  • Braille
  • Low Vision
  • Different web browsers
  • Localization in other languages / culture than English
• API is compatible with existing add-ons.
• Security precautions taken.

@coderabbitai summary

[AppVeyorBot]

• PASS: Translation comments check.
• PASS: License check.
• PASS: Unit tests.
• FAIL: System tests (tags: installer NVDA). See test results for more information.
• Build (for testing PR): https://ci.appveyor.com/api/buildjobs/ja1gtidj3xtjvvt2/artifacts/output/nvda_snapshot_pr18034-36339,f37e780f.exe
• CI timing (mins):
  INIT 0.0,
  INSTALL_START 1.4,
  INSTALL_END 1.0,
  BUILD_START 0.0,
  BUILD_END 21.1,
  TESTSETUP_START 0.0,
  TESTSETUP_END 0.4,
  TEST_START 0.0,
  TEST_END 19.5,
  FINISH_END 0.1

See test results for failed build of commit f37e780f7a

[SaschaCowley]

@seanbudd is signing supposed to be happening on all PRs targeting master/beta/rc? Because it seems like it is at present. I thought it was only supposed to happen on try builds, or commits to master/beta/rc (snapshots)

[seanbudd]

@SaschaCowley signing will only occur on pushes (github.event_name == 'push'). i.e. pushes to master/beta/rc/try-* or a release tag

[seanbudd]

additionally, secrets will be empty on any PR not based on nvaccess/nvda

[seanbudd]

This PR was not signed if you want testing confirmation

[SaschaCowley]

Aah yep, gotcha. I forgot how the 'push' event works