Sign fork macOS npm release binary with stable identity

[richardgetz]

Summary

• signs the fork Apple Silicon npm payload before artifact staging, using the stable code signing identifier com.rickgetz.codex
• extends the shared macOS signing action with an optional codesign-identifier input while preserving the default upstream behavior
• guards the fork release jobs so manual dispatches from non-stable refs do not receive Apple signing secrets
• documents the required Apple Developer ID and notarization GitHub secrets for the fork release lane

Validation

• python3 -m py_compile scripts/stage_npm_packages.py codex-cli/scripts/build_npm_package.py codex-cli/scripts/release_config.py scripts/compute_fork_release.py
• `ruby -e 'require "yaml"; %w[.github/actions/macos-code-sign/action.yml .github/workflows/fork-release.yml].each { |p| YAML.load_file(p); puts "ok #{p}" }'
• NPM_CONFIG_CACHE=/tmp/codex-npm-cache npm exec --yes --package prettier@3.5.3 -- prettier --check docs/fork-release.md .github/workflows/fork-release.yml .github/actions/macos-code-sign/action.yml
• darwin-arm64 npm packaging smoke test with a temporary fake vendor tree
• GOCACHE=/tmp/codex-go-cache GOPATH=/tmp/codex-go GOPROXY=https://proxy.golang.org,direct go run github.com/rhysd/actionlint/cmd/actionlint@latest .github/workflows/fork-release.yml
• git diff --check

Review

• post-change-review swarm pass 1 found a temp keychain cleanup gap; fixed by exporting APPLE_CODESIGN_KEYCHAIN before setup can fail
• post-change-review pass 2 found non-stable workflow_dispatch secret exposure risk and a cleanup env-shadowing issue; fixed both
• final post-change-review pass 3 returned no findings