Add code-signing release

Author: lukekim

.github/workflows/release.yml

@@ -1,11 +1,19 @@
 name: release
 on:
   workflow_dispatch:
+    inputs:
+      signed_binary_name:
+        description: 'Name of the signed binary'
+        required: false
+        default: 'spiceai.signed.taco'
+        type: string
   release:
     types: [created]
+
 jobs:
   build:
-    runs-on: macos-latest
+    runs-on: code-signing
+    if: github.event.action == 'created' && github.event.release.prerelease == true
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -17,20 +25,28 @@ jobs:
         with:
           python-version: 3.13
 
-      - name: Install Make
+      - name: Make Package (unsigned)
         run: |
-          brew install make
+          make package
 
-      - name: Package (unsigned)
+      - name: Set up Java for signing
+        uses: actions/setup-java@v4
+        with:
+          java-version: '11'
+          distribution: 'zulu'
+
+      - name: Sign ${{ inputs.signed_binary_name}}
+        env:
+          DIGICERT_KEY_ALIAS: ${{ secrets.DIGICERT_KEY_ALIAS }}
         run: |
-          make package
-          mv spice.taco spice_unsigned.taco
+          jarsigner -tsa http://timestamp.digicert.com -verbose -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11properties.cfg -sigalg SHA256withRSA -signedjar ${{ inputs.signed_binary_name}} ../../spice.taco $DIGICERT_KEY_ALIAS
+        shell: bash
 
-      - name: Upload
+      - name: Upload to release
         uses: softprops/action-gh-release@v2
         if: startsWith(github.ref, 'refs/tags/')
         with:
           draft: true
           prerelease: true
           fail_on_unmatched_files: true
-          files: spice_unsigned.taco
+          files: ${{ inputs.signed_binary_name }}