ci(release): fix electron-builder path and harden Windows signing setup

- Invoke electron-builder via `pnpm exec` so the binary resolves from
  the workspace's node_modules/.bin (the bare command isn't on PATH in
  release runners).
- Gate the NuGet provider install on AZURE_TENANT_ID being set, force
  TLS 1.2, and pin a MinimumVersion so the install works on current
  windows-latest images.
- Build an unsigned Windows installer when Azure signing secrets are
  absent instead of failing the job.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: SDSLeon

.github/workflows/release.yml

@@ -108,7 +108,15 @@ jobs:
       - name: Install NuGet provider (Windows signing)
         if: matrix.os == 'windows-latest'
         shell: pwsh
-        run: Install-PackageProvider -Name NuGet -Force -Scope CurrentUser
+        env:
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+        run: |
+          if (-not $env:AZURE_TENANT_ID) {
+            Write-Host "AZURE_TENANT_ID not set; skipping NuGet provider installation."
+            exit 0
+          }
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser
 
       - name: Build app
         run: pnpm run build
@@ -145,14 +153,19 @@ jobs:
         run: |
           if [ "${{ matrix.os }}" = "windows-latest" ]; then
             pnpm run prepare:package-assets
-            electron-builder --win --config electron-builder.yml --config build/signing.yml
+            if [ -n "$AZURE_TENANT_ID" ]; then
+              pnpm exec electron-builder --win --config electron-builder.yml --config build/signing.yml
+            else
+              echo "Azure signing secrets not configured; building unsigned Windows installer."
+              pnpm exec electron-builder --win
+            fi
           else
             if [ "${{ matrix.os }}" = "macos-latest" ]; then
               pnpm run prepare:agent-plugins
-              electron-builder --mac
+              pnpm exec electron-builder --mac
             else
               pnpm run prepare:package-assets
-              electron-builder --linux
+              pnpm exec electron-builder --linux
             fi
           fi
         shell: bash