ci: add workflow to build test binaries and MSIs on demand

[ashishkurmi]

Adds .github/workflows/test-build.yml, a workflow_dispatch-only workflow that produces test binaries and MSIs from an arbitrary commit without cutting a release tag. The existing release.yml is intentionally left untouched — it remains the single source of truth for tagged releases (cosign signing, build-provenance attestation, draft GitHub release publishing).

Motivation

This fork needs a way to hand out test artifacts for in-progress changes (e.g. a pre-merge PR review build, an ad-hoc smoke test of a particular commit) without polluting the release pipeline or incrementing the version in internal/buildinfo/version.go.

Workflow shape

Triggered only via workflow_dispatch, with two inputs:

• commit_id (required): the SHA to check out and build from.
• pr_id (optional): a PR number to comment on with the run link.

Three jobs:

build (ubuntu-latest)
- Checks out the requested commit at fetch-depth: 0.
- Reads the build version from internal/buildinfo/version.go for use by the MSI step.
- Runs goreleaser release --snapshot --clean --skip=publish so no tag is created or pushed, and no draft release is opened on GitHub. Cosign signing and attestation are deliberately skipped — they are release-only concerns and would just add cost and latency for a test build.
- Goreleaser snapshot leaves the per-OS/arch binaries inside their builder subdirectories (dist/universal_darwin_all/..., dist/stepsecurity-dev-machine-guard_linux_amd64_v1/..., etc.). A staging step locates each one via find (mirroring release.yml's lookup style) and copies it into a flat staging/ directory with release-style filenames, so artifacts look the same as a real release and the MSI job's Get-ChildItem filter keeps working.
- Uploads three per-platform artifacts:
* darwin — universal darwin binary
* linux — linux_amd64 + linux_arm64 binaries, .deb, .rpm
* windows-exes — agent + launcher .exes for amd64 and arm64

build-msi (windows-latest)
- Installs WiX 4 + the Util extension (same versions release.yml uses).
- Downloads the windows-exes artifact into dist/.
- Builds x64 + arm64 MSIs with the same wix build invocation as release.yml.
- Uploads windows-msis as a fourth artifact.

comment-on-pr (ubuntu-latest)
- Runs only when pr_id is non-empty and both build jobs succeed.
- Posts a comment on the PR linking the short SHA (to github.com//commit/) and the workflow run URL where reviewers can download the artifacts.
- pull-requests:write is scoped to this job only; the build jobs run with contents:read.

Hardening

• step-security/harden-runner runs first in every job with egress-policy: audit.
• All third-party actions are pinned to full commit SHAs with the version in a trailing comment, matching release.yml and msi-smoke.yml.
• The top-level permissions block is empty; each job opts into only the scopes it needs.

What does this PR do?

Type of change

• Bug fix
• Enhancement
• Documentation

Testing

• Tested on macOS (version: ___)
• Binary runs without errors: ./stepsecurity-dev-machine-guard --verbose
• JSON output is valid: ./stepsecurity-dev-machine-guard --json | python3 -m json.tool
• No secrets or credentials included
• Lint passes: make lint
• Tests pass: make test

Related Issues