Sign and notarize macOS ballast release artifacts for Homebrew cask distribution

[markcallen]

Problem

The ballast Homebrew cask is being flagged by Homebrew and macOS Gatekeeper because the released macOS binaries are not signed and notarized.

Current user-facing behavior includes:

• Gatekeeper deprecation warnings during brew install --cask ballast
• Homebrew warning that the cask will be disabled if it continues to fail Gatekeeper checks
• avoidable install friction for macOS users

Goal

Sign and notarize the macOS ballast release artifacts so the generated Homebrew cask passes Gatekeeper checks.

Scope

• Sign ballast macOS binaries during release
• Notarize macOS release archives used by the cask
• Staple notarization where applicable
• Update the CLI release automation in .github/workflows/publish-cli.yml and .github/workflows/publish.yml
• Document required secrets, certificates, and Apple credentials
• Verify the generated cask installs cleanly on macOS without Gatekeeper deprecation warnings

Relevant Files

• cli/ballast/.goreleaser.yaml
• .github/workflows/publish-cli.yml
• .github/workflows/publish.yml
• docs/publish.md

Acceptance Criteria

• macOS release artifacts are signed
• macOS release artifacts are notarized
• Homebrew cask install succeeds on macOS without Gatekeeper deprecation warnings
• Release docs include setup steps for signing/notarization secrets and certificates
• everydaydevopsio/homebrew-ballast cask continues to install ballast successfully

Notes

The Linux Homebrew formula path is now separate; this issue is specifically about fixing the macOS cask path.