## Summary
- Add explicit `WINDOWS_SIGN` env var to the release workflow (set only
for Windows builds)
- `forge.config.ts` now checks `WINDOWS_SIGN=true` to enable Windows
code signing, instead of the generic `isGitHubActions` check
- If `WINDOWS_SIGN` is enabled but `AZURE_CODE_SIGNING_DLIB` is missing,
the build **fails loudly** with a clear error message
- CI builds no longer attempt Windows code signing since they don't set
`WINDOWS_SIGN`

## Test plan
- CI workflow should pass without attempting Windows code signing (no
`WINDOWS_SIGN` env var)
- Release workflow Windows builds will set `WINDOWS_SIGN=true` and sign
correctly
- If Azure signing tools fail to install in the release workflow, the
build will fail explicitly instead of silently skipping signing

#skip-bugbot

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: small build/release configuration change that only affects
Windows signing behavior and adds an explicit fail-fast check when
signing is enabled but tooling is missing.
> 
> **Overview**
> Windows code signing is now explicitly gated by a `WINDOWS_SIGN` env
var instead of implicitly enabling it on all GitHub Actions runs.
> 
> The release workflow sets `WINDOWS_SIGN=true` only for the Windows
matrix job, and `forge.config.ts` enables `windowsSign`/MakerSquirrel
signing only when that flag is set, failing fast with a clear error if
`AZURE_CODE_SIGNING_DLIB` is missing.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
132029c13f0da8afde3f864dc58a1ebdaeddf28e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>