fix: notarize macOS binaries before publishing release

Split goreleaser into build (--skip=publish) and publish (continue
--merge) phases. Notarization runs between the two, ensuring the
zip files in the GitHub release are already notarized.

Author: nahime0

.github/workflows/release.yml

@@ -45,17 +45,17 @@ jobs:
             -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
           security list-keychains -d user -s "$KEYCHAIN_PATH" login.keychain
 
-      # Build, sign, and create release
+      # Build, sign, and archive — but don't publish yet
       - uses: goreleaser/goreleaser-action@v6
         with:
           version: "~> v2"
-          args: release --clean
+          args: release --clean --skip=publish
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
           APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
 
-      # Notarize macOS archives
+      # Notarize macOS archives before publishing
       - name: Notarize macOS binaries
         env:
           APPLE_ID: ${{ secrets.APPLE_ID }}
@@ -72,6 +72,16 @@ jobs:
             echo "Notarized: $archive"
           done
 
+      # Now publish: create GitHub release and upload all artifacts
+      - name: Publish release
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: "~> v2"
+          args: continue --merge
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
+
       # Clean up keychain
       - name: Clean up keychain
         if: always()