fix: sign all bundled dylibs and exclude dotfiles from doc/

macOS's code signing monitor validates every loaded Mach-O
inside a .app bundle. The CI was only signing the engine binary
and launcher script, but the bundled dylibs were left with the
CI's self-signed cert identity which isn't trusted on user
machines. Now signs all *.dylib in the lib/ directory before
signing the outer bundle.

Also switches doc copy from cp -R to rsync --exclude='.*' to
prevent dotfiles (.hugo_build.lock, .gitignore) from being
included in the bundle seal, since these get dropped during
artifact upload and invalidate the code signature.

Author: Mearman

.github/workflows/macos-build.yml

@@ -267,7 +267,10 @@ jobs:
             process_dylib "$MOLTEN_PREFIX/lib/libMoltenVK.dylib"
           fi
 
-          cp -R ../src/doc/site/. "$APP/Contents/Resources/doc/" 2>/dev/null || true
+          # Copy docs but exclude dotfiles (like .hugo_build.lock,
+          # .gitignore) that get dropped during artifact upload and
+          # break the code-signed bundle seal.
+          rsync -a --exclude='.*' ../src/doc/site/ "$APP/Contents/Resources/doc/" 2>/dev/null || true
 
           # Launcher: cd into the bundle's Resources dir, then exec
           # the engine. Anything the engine writes (logs, savegames,
@@ -382,7 +385,12 @@ jobs:
           # Verify the identity is visible.
           security find-identity -v "$KEYCHAIN"
 
-          # Sign inner binaries first, then the outer bundle.
+          # Sign all bundled dylibs, the engine binary, the launcher,
+          # and then the outer bundle. macOS's code signing monitor
+          # validates every loaded Mach-O inside a .app bundle, so
+          # every dylib must have a recognised signature.
+          codesign --force --keychain "$KEYCHAIN" --sign "$CERT_NAME" \
+            "$APP/Contents/Resources/lib/"*.dylib
           codesign --force --keychain "$KEYCHAIN" --sign "$CERT_NAME" \
             "$APP/Contents/Resources/bin/spring" \
             "$APP/Contents/MacOS/$APP_NAME"