ci: limit macOS signing and notarization to main runs

[philliphoff]

Summary

PR pipelines spend a large share of their time signing and notarizing the macOS artifacts. Notarization in particular uploads to Apple's notary service and polls for a result, adding many minutes per run. We don't need signed/notarized macOS bits on PR builds — a developer who needs to run an unsigned PR artifact can clear the com.apple.quarantine attribute themselves.

This change gates the macOS signing/notarization/stapling steps in .github/workflows/ci.yml to main CI runs only (pushes to main and v* tags), skipping them on pull_request events.

All nine signing-related steps already keyed off a single job-level env var. Rather than touch each if:, this renames HAS_SIGNING_SECRETS to MACOS_SIGNING_ENABLED and folds the event guard into its expression:

MACOS_SIGNING_ENABLED: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12 != '' && github.event_name != 'pull_request' }}

PR macOS jobs still compile, package the .app/DMG/CLI, and upload (unsigned) artifacts — those steps are gated only on matrix.rid == 'osx-arm64', not on signing.

Closes #290

Spec alignment

• N/A — change is purely infrastructural (build, CI, docs, tooling)

Spec section references cited in code/docs:

N/A

Tests

• Added/updated xunit tests under tests/
• Tests requiring real data files use SkippableFact
• dotnet test --configuration Release passes locally

N/A — CI workflow change only. Validated ci.yml parses as YAML and confirmed no stale references to the old env var name remain.

Documentation

• Updated the affected project's src/<project>/README.md
• Updated conceptual docs under docs/ if user-facing behaviour changed
• New public APIs have XML doc comments

N/A — no public API or user-facing behaviour change.

Dependencies

• No new NuGet dependencies, OR versions added to Directory.Packages.props (not in the .csproj)
• gh-advisory-database security check run for any new dependency

Breaking changes

None. PR builds now produce unsigned macOS artifacts (previously signed only when secrets were available); main and tag builds are unchanged.

[github-actions]

Performance Gate

✅ PASSED — no regressions.

Threshold: 10.0%, MAD multiplier (k): 3.0, retry-zone mult: 2.0×

Scenario summary

Scenario	Status	Δ median (%)	z (Δ/MAD)	Base median (ms)	Samples (b/c)
exchange-set-open	✅ pass	+3.5	+1.18	1.22	5/5
s101-portray-cold	✅ pass	-0.9	-0.08	0.23	5/5
s101-portray-warm	✅ pass	-0.4	-0.20	0.22	5/5
s101-real-cold	✅ pass	-0.7	-0.59	0.28	5/5
s101-real-warm	✅ pass	-2.2	-0.38	0.29	5/5
s101-render-warm	✅ pass	+2.3	+0.22	0.22	5/5
s102-coverage	✅ pass	-7.2	-1.73	0.17	5/5
s102-coverage-open	✅ pass	-1.5	-0.21	2.84	20/20
s102-coverage-render-large	✅ pass	+2.3	+1.29	0.19	5/5
s102-real-warm	✅ pass	-6.8	-1.65	0.34	5/5
s111-real-warm	✅ pass	+1.3	+0.12	0.28	5/5
s124-vector	✅ pass	-4.3	-1.53	0.20	5/5
s201-vector	✅ pass	-20.1	-1.47	0.23	5/5

exchange-set-open

Iteration statistics

Stat	Baseline	Candidate
Samples	5	5
Median (ms)	1.22	1.26
Baseline MAD (ms)	0.04	—
Δ median	—	+3.5%
z (Δ/MAD)	—	+1.18

Spans (sum of all iterations)

Span	Baseline (ms)	Candidate (ms)	Delta	Status
s100.asset.read	2.56	2.77	+8.1%	❌
s100.exchangeset.parse	44.29	44.35	+0.1%	▫️

Metrics

Metric	Baseline	Candidate	Delta	Status
s100.asset.read.duration	0.18	0.16	-12.4%	✅

s101-portray-cold

Iteration statistics

Stat	Baseline	Candidate
Samples	5	5
Median (ms)	0.23	0.23
Baseline MAD (ms)	0.02	—
Δ median	—	-0.9%
z (Δ/MAD)	—	-0.08

s101-portray-warm

Iteration statistics

Stat	Baseline	Candidate
Samples	5	5
Median (ms)	0.22	0.22
Baseline MAD (ms)	0.00	—
Δ median	—	-0.4%
z (Δ/MAD)	—	-0.20

s101-real-cold

Iteration statistics

Stat	Baseline	Candidate
Samples	5	5
Median (ms)	0.28	0.27
Baseline MAD (ms)	0.00	—
Δ median	—	-0.7%
z (Δ/MAD)	—	-0.59

s101-real-warm

Iteration statistics

Stat	Baseline	Candidate
Samples	5	5
Median (ms)	0.29	0.29
Baseline MAD (ms)	0.02	—
Δ median	—	-2.2%
z (Δ/MAD)	—	-0.38

s101-render-warm

Iteration statistics

Stat	Baseline	Candidate
Samples	5	5
Median (ms)	0.22	0.22
Baseline MAD (ms)	0.02	—
Δ median	—	+2.3%
z (Δ/MAD)	—	+0.22

s102-coverage

Iteration statistics

Stat	Baseline	Candidate
Samples	5	5
Median (ms)	0.17	0.16
Baseline MAD (ms)	0.01	—
Δ median	—	-7.2%
z (Δ/MAD)	—	-1.73

s102-coverage-open

Iteration statistics

Stat	Baseline	Candidate
Samples	20	20
Median (ms)	2.84	2.80
Baseline MAD (ms)	0.20	—
Δ median	—	-1.5%
z (Δ/MAD)	—	-0.21

Spans (sum of all iterations)

Span	Baseline (ms)	Candidate (ms)	Delta	Status
s100.dataset.open	448.95	457.44	+1.9%	▫️
s100.hdf5.dataset.read	163.68	164.56	+0.5%	▫️
s100.hdf5.file.open	18.72	18.69	-0.2%	▫️
s100.hdf5.open	18.46	18.54	+0.5%	▫️

Metrics

Metric	Baseline	Candidate	Delta	Status
s100.hdf5.read.bytes	36456.00	36456.00	+0.0%	▫️
s100.hdf5.read.duration	26.53	26.67	+0.5%	▫️
s100.hdf5.read.duration	31.39	31.28	-0.4%	▫️
s100.hdf5.read.duration	11.09	12.23	+10.2%	❌

s102-coverage-render-large

Iteration statistics

Stat	Baseline	Candidate
Samples	5	5
Median (ms)	0.19	0.20
Baseline MAD (ms)	0.00	—
Δ median	—	+2.3%
z (Δ/MAD)	—	+1.29

s102-real-warm

Iteration statistics

Stat	Baseline	Candidate
Samples	5	5
Median (ms)	0.34	0.31
Baseline MAD (ms)	0.01	—
Δ median	—	-6.8%
z (Δ/MAD)	—	-1.65

s111-real-warm

Iteration statistics

Stat	Baseline	Candidate
Samples	5	5
Median (ms)	0.28	0.29
Baseline MAD (ms)	0.03	—
Δ median	—	+1.3%
z (Δ/MAD)	—	+0.12

s124-vector

Iteration statistics

Stat	Baseline	Candidate
Samples	5	5
Median (ms)	0.20	0.19
Baseline MAD (ms)	0.01	—
Δ median	—	-4.3%
z (Δ/MAD)	—	-1.53

s201-vector

Iteration statistics

Stat	Baseline	Candidate
Samples	5	5
Median (ms)	0.23	0.19
Baseline MAD (ms)	0.03	—
Δ median	—	-20.1%
z (Δ/MAD)	—	-1.47

---

Generated by EncDotNet.S100.PerfReport gate command