Add macOS code signing and notarization for new compiler

[rtfeldman]

Summary

Adds code signing and notarization to the nightly new compiler workflow for macOS builds. When users download the roc binary on macOS, it will run without Gatekeeper warnings.

• Imports Developer ID certificate into a temporary CI keychain
• Signs the binary with hardened runtime (-o runtime)
• Submits to Apple's notarization service and waits for approval
• Adds documentation for required GitHub secrets in ci/MACOS_CODE_SIGNING.md

Required Secrets

Before this works, these secrets need to be configured:

• MACOS_CERTIFICATE - Base64-encoded .p12 Developer ID certificate
• MACOS_CERTIFICATE_PWD - Password for the .p12 file
• MACOS_CERTIFICATE_NAME - Certificate identity name
• MACOS_CI_KEYCHAIN_PWD - Password for temp keychain
• APPLE_NOTARIZATION_KEY_ID - App Store Connect API key ID
• APPLE_NOTARIZATION_ISSUER - App Store Connect issuer UUID
• APPLE_NOTARIZATION_KEY - Private key content (.p8)

Co-authored by Claude Opus 4.5

[github-actions]

Thank you for your contribution! Sometimes PRs end up staying open for a long time without activity, which can make the list of open PRs get long and time-consuming to review. To keep things manageable for reviewers, this bot automatically closes PRs that haven’t had activity in 60 days. This PR hasn’t had activity in 30 days, so it will be automatically closed if there is no more activity in the next 30 days. Keep in mind that PRs marked Closed are not deleted, so no matter what, the PR will still be right here in the repo. You can always access it and reopen it anytime you like!

[lukewilliamboswell]

We're gonna need this 😃