Add macOS PKG GitHub Actions workflow

[Copilot]

Adds .github/workflows/macos-pkg-build.yml to automate macOS PKG installer builds in CI, complementing the existing Linux DEB and Flatpak workflows.

Workflow behavior

• Signed path (when MACOS_CERTIFICATE secret is set): imports the Developer ID cert into a temporary keychain → ant create-pkg → optional ant notarize-pkg (when APPLE_ID is also set)
• Unsigned fallback (no signing cert, e.g. fork PRs): runs ant create-dmg and uploads the DMG

Secret detection pattern

GitHub Actions secrets cannot be reliably compared in if: expressions. A dedicated step evaluates the comparison at expression-evaluation time via env: and writes boolean flags to step outputs:

- name: Check Signing Secrets
  id: secrets
  env:
    HAS_CERT: ${{ secrets.MACOS_CERTIFICATE != '' }}
    HAS_NOTARY: ${{ secrets.APPLE_ID != '' }}
  run: |
    echo "has-cert=$HAS_CERT" >> "$GITHUB_OUTPUT"
    echo "has-notary=$HAS_NOTARY" >> "$GITHUB_OUTPUT"

- name: Build Signed PKG
  if: steps.secrets.outputs.has-cert == 'true'
  ...

Required secrets for signed builds

Secret	Purpose
MACOS_CERTIFICATE	Base64-encoded .p12 certificate
MACOS_CERTIFICATE_PWD	.p12 password
MACOS_CERTIFICATE_NAME	Developer ID Application name (--mac-signing-key-user-name)
SIGNING_IDENTITY	Full codesign identity string
MAC_PACKAGE_IDENTIFIER	Bundle ID (e.g. com.jdiskmark.jdiskmark)
APPLE_ID	Apple ID for notarization
APPLE_PASSWORD	App-specific password
APPLE_TEAM_ID	Apple Developer Team ID

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.