Code-sign Kallichore binaries on Windows

[jmcphers]

Signs Kallichore releases on Windows.

Part of posit-dev/positron#9962

[Copilot]

Pull request overview

This PR adds code signing for Windows releases of Kallichore by introducing a signing step in the release workflow and bumping the version to 0.1.61.

• Adds a Windows binary signing workflow using a reusable workflow from posit-dev/posit-gh-actions
• Refactors the Windows build process to separate building, signing, and packaging into distinct jobs
• Updates job dependencies to ensure signed binaries are used in releases

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File	Description
crates/kcserver/Cargo.toml	Bumps version from 0.1.60 to 0.1.61
Cargo.lock	Updates lock file to reflect version 0.1.61
.github/workflows/release.yml	Adds signing workflow with new jobs for signing Windows binaries and repackaging signed executables; updates job dependencies to include signing steps

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The sign_windows job attempts to use a matrix strategy with a reusable workflow, but GitHub Actions does not support matrix strategies at the job level when calling reusable workflows. The matrix strategy should be defined inside the reusable workflow itself, or this job needs to be split into separate jobs for each combination.

This will cause the workflow to fail because you cannot use 'strategy.matrix' with a job that uses a reusable workflow (the 'uses' keyword). Either remove the matrix strategy here and handle it within the reusable workflow, or create separate jobs for each matrix combination.

Suggested change

	sign_windows:
	name: "Sign Windows Binaries"
	uses: posit-dev/posit-gh-actions/.github/workflows/sign-windows.yml@main
	needs: [build_windows, get_version]
	secrets: inherit
	strategy:
	matrix:
	arch: [x64, arm64]
	flavor: [debug, release]
	with:
	unsigned_artifact_name: kallichore-${{ matrix.flavor }}-windows-${{ matrix.arch }}-unsigned
	signed_artifact_name: kallichore-${{ matrix.flavor }}-windows-${{ matrix.arch }}-signed
	repackage_signed_windows:
	name: Repackage Signed Windows Binaries
	runs-on: windows-latest
	needs: [sign_windows, get_version]
	sign_windows_x64_debug:
	name: "Sign Windows Binaries (x64, debug)"
	uses: posit-dev/posit-gh-actions/.github/workflows/sign-windows.yml@main
	needs: [build_windows, get_version]
	secrets: inherit
	with:
	unsigned_artifact_name: kallichore-debug-windows-x64-unsigned
	signed_artifact_name: kallichore-debug-windows-x64-signed
	arch: x64
	flavor: debug
	sign_windows_x64_release:
	name: "Sign Windows Binaries (x64, release)"
	uses: posit-dev/posit-gh-actions/.github/workflows/sign-windows.yml@main
	needs: [build_windows, get_version]
	secrets: inherit
	with:
	unsigned_artifact_name: kallichore-release-windows-x64-unsigned
	signed_artifact_name: kallichore-release-windows-x64-signed
	arch: x64
	flavor: release
	sign_windows_arm64_debug:
	name: "Sign Windows Binaries (arm64, debug)"
	uses: posit-dev/posit-gh-actions/.github/workflows/sign-windows.yml@main
	needs: [build_windows, get_version]
	secrets: inherit
	with:
	unsigned_artifact_name: kallichore-debug-windows-arm64-unsigned
	signed_artifact_name: kallichore-debug-windows-arm64-signed
	arch: arm64
	flavor: debug
	sign_windows_arm64_release:
	name: "Sign Windows Binaries (arm64, release)"
	uses: posit-dev/posit-gh-actions/.github/workflows/sign-windows.yml@main
	needs: [build_windows, get_version]
	secrets: inherit
	with:
	unsigned_artifact_name: kallichore-release-windows-arm64-unsigned
	signed_artifact_name: kallichore-release-windows-arm64-signed
	arch: arm64
	flavor: release
	repackage_signed_windows:
	name: Repackage Signed Windows Binaries
	runs-on: windows-latest
	needs:
	- sign_windows_x64_debug
	- sign_windows_x64_release
	- sign_windows_arm64_debug
	- sign_windows_arm64_release
	- get_version

[jmcphers]

This will cause the workflow to fail

no it works fine! you're wrong.