Release signed binaries

[agateau-gg]

Context

This PR extends our CI so that signed macOS binaries are built on each release.

What has been done

Since testing CI code which only triggers on tags is not really possible, I used the following workarounds:

1. The existing sign.yml workflow has been turned into a more generic build_release_assets.yml workflow. This workflow is called by the tag.yml workflow. It can also be called manually.

2. I added a faketag.yml workflow. This is a copy of tag.yml except it triggers on pull requests and does not publish anything: each publish step is replaced by a step listing the downloaded artifacts which would be published. This allow verifies the changes to tag.yml as much as possible. You can see a run of it here. This faketag.yml will be removed before merging the PR.

Review

First commit contains the real work. Second commit just adds faketag.yml and can mostly be ignored (apart from verifying changes made to tag.yml are also present in faketag.yml). I will revert that commit before merging.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 91.65%. Comparing base (26cac3c) to head (de20b69). Report is 16 commits behind head on main.

:exclamation: Current head de20b69 differs from pull request most recent head e0f2a90. Consider uploading reports for the commit e0f2a90 to get more accurate results

:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #871 +/- ## ========================================== - Coverage 91.92% 91.65% -0.27% ========================================== Files 170 170 Lines 7058 7061 +3 ========================================== - Hits 6488 6472 -16 - Misses 570 589 +19 ``` | [Flag](https://app.codecov.io/gh/GitGuardian/ggshield/pull/871/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=GitGuardian) | Coverage Δ | | |---|---|---| | [unittests](https://app.codecov.io/gh/GitGuardian/ggshield/pull/871/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=GitGuardian) | `91.65% <ø> (-0.27%)` | :arrow_down: | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=GitGuardian#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

[agateau-gg]

Looks good but I"m not sure I understand why you end up with two macos binaries here what is "macos-14" ?

GitHub terminology is confusing:

• macos-14 is for ARM-based macOS, it uses macOS 14
• macos-latest is for Intel-based macOS

At least that was my understanding until I went back to https://github.com/actions/runner-images, and noticed macos-latest is now the same as macos-14! That changed on April 2.

That's my punishment for not pinning runner versions I guess 😒. Going to pin this runner (and the Ubuntu one).

[salome-voltz]

Looks good to me, I'm just not sure to understand how to trigger the Build release assets workflow manually ?

[agateau-gg]

Looks good to me, I'm just not sure to understand how to trigger the Build release assets workflow manually ?

The place to trigger workflows is https://github.com/GitGuardian/ggshield/actions, but there is a trick: you can't trigger it right now because I renamed it, and the workflow must exist in the default branch to be able to trigger it 😞.

Right now you can try to trigger the sign workflow, the old name for build_release_assets, which is in default branch.