Only enable Windows code signing in release workflow (#2459)

## Summary - Add explicit `WINDOWS_SIGN` env var to the release workflow (set only for Windows builds) - `forge.config.ts` now checks `WINDOWS_SIGN=true` to enable Windows code signing, instead of the generic `isGitHubActions` check - If `WINDOWS_SIGN` is enabled but `AZURE_CODE_SIGNING_DLIB` is missing, the build **fails loudly** with a clear error message - CI builds no longer attempt Windows code signing since they don't set `WINDOWS_SIGN` ## Test plan - CI workflow should pass without attempting Windows code signing (no `WINDOWS_SIGN` env var) - Release workflow Windows builds will set `WINDOWS_SIGN=true` and sign correctly - If Azure signing tools fail to install in the release workflow, the build will fail explicitly instead of silently skipping signing #skip-bugbot  --- > [!NOTE] > **Low Risk** > Low risk: small build/release configuration change that only affects Windows signing behavior and adds an explicit fail-fast check when signing is enabled but tooling is missing. > > **Overview** > Windows code signing is now explicitly gated by a `WINDOWS_SIGN` env var instead of implicitly enabling it on all GitHub Actions runs. > > The release workflow sets `WINDOWS_SIGN=true` only for the Windows matrix job, and `forge.config.ts` enables `windowsSign`/MakerSquirrel signing only when that flag is set, failing fast with a clear error if `AZURE_CODE_SIGNING_DLIB` is missing. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 132029c13f0da8afde3f864dc58a1ebdaeddf28e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Only enable Windows code signing in release workflow (#2459)
d3ae1545 · Will Chen · GitHub · 6d979dd1 · d3ae1545 · d3ae1545
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -156,6 +156,7 @@ jobs:
          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          WINDOWS_SIGN: ${{ contains(matrix.os.name, 'windows') && 'true' || '' }}

  verify-assets:
    name: Verify Release Assets

--- a/forge.config.ts
+++ b/forge.config.ts
@@ -56,11 +56,18 @@ const ignore = (file: string) => {
 };

 const isEndToEndTestBuild = process.env.E2E_TEST_BUILD === "true";
-const isGitHubActions = process.env.GITHUB_ACTIONS === "true";
+const isWindowsSigningEnabled = process.env.WINDOWS_SIGN === "true";
+
+if (isWindowsSigningEnabled && !process.env.AZURE_CODE_SIGNING_DLIB) {
+  throw new Error(
+    "WINDOWS_SIGN is enabled but AZURE_CODE_SIGNING_DLIB is not set. " +
+      "Ensure Azure Trusted Signing tools are installed.",
+  );
+}

 const config: ForgeConfig = {
  packagerConfig: {
-    windowsSign: isGitHubActions ? windowsSign : undefined,
+    windowsSign: isWindowsSigningEnabled ? windowsSign : undefined,
    protocols: [
      {
        name: "Dyad",
@@ -93,7 +100,7 @@ const config: ForgeConfig = {
  makers: [
    new MakerSquirrel(
      // @ts-expect-error - incorrect types exported by MakerSquirrel
-      isGitHubActions
+      isWindowsSigningEnabled
        ? {
            windowsSign,
            iconUrl: