Summary

• replace the old Linux/Windows/macOS release matrix with a macOS-only release wrapper
• call the new reusable macOS desktop release workflow from vuon9/gh-workflows
• add a deterministic universal macOS package script for DevToolbox.app
• update macOS release docs with Apple Developer secret names, notarization flow, and local Gatekeeper checks

Verification

• ruby YAML parse for .github/workflows/*.yml
• bash -n scripts/package-macos-universal.sh
• go test ./internal/...
• scripts/package-macos-universal.sh builds bin/DevToolbox.app locally
• confirmed bin/DevToolbox is a universal x86_64/arm64 Mach-O binary
• confirmed app bundle CFBundleName=DevToolbox and CFBundleIdentifier=com.vuon9.devtoolbox

Operator checklist before first signed release

• Merge feat: add reusable Wails macOS release workflow gh-workflows#1, tag the reusable workflow release, then update this workflow ref from the temporary branch ref to that tag
• Configure Apple Developer secrets: APPLE_DEVELOPER_ID_APPLICATION_CERTIFICATE_P12_BASE64, APPLE_DEVELOPER_ID_APPLICATION_CERTIFICATE_PASSWORD, APP_STORE_CONNECT_API_KEY_P8, APP_STORE_CONNECT_API_KEY_ID, APP_STORE_CONNECT_API_ISSUER_ID
• Optionally configure MACOS_CODESIGN_IDENTITY if the imported certificate identity should be pinned
• Run workflow_dispatch once, then cut a macos/devtoolbox/v* tag for the first public signed release

Depends on vuon9/gh-workflows#1.