Add notarized release packaging workflow

[haasonsaas]

Summary

• add a manual package-release workflow for Developer ID signing, notarization, stapling, and artifact upload
• import the Developer ID .p12 from GitHub secrets into a temporary keychain
• document the required signing/notary secrets and uploaded evidence files

Testing

• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/package-release.yml")'\n- actionlint .github/workflows/package-release.yml\n- scripts/package_app.sh\n- swift test\n- swift build -Xswiftc -warnings-as-errors\n- xcrun swift-format lint --strict --recursive Sources Tests Package.swift\n- git diff --check

[cursor]

PR Summary

Medium Risk
Adds a new credential-backed GitHub Actions release workflow that imports signing certs and runs notarization, so misconfiguration or secret handling mistakes could break releases or leak sensitive material. No application runtime code changes.

Overview
Introduces a new manually-triggered package-release GitHub Actions workflow to produce a Developer ID signed, notarized, and stapled macOS .app/.zip using scripts/package_app.sh, including temporary keychain setup from a base64-encoded .p12 secret.

The workflow records and uploads release evidence (SHA256SUMS, codesign output, and spctl Gatekeeper assessment) and the README now documents the required signing/notary secrets and the artifacts produced.

^{Reviewed by Cursor Bugbot for commit 55bf114. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

^{Reviewed by Cursor Bugbot for commit 55bf114. Configure here.}