fix: run release ci inside mac gh runner

[sigmachirality]

Follow up to #239 which fixes the following codesign issue by running the build script inside of a macos runner:

 > Warning Unable to sign the macOS executable
  Due to the mandatory code signing requirement, before the
  executable is distributed to end users, it must be signed.
  Otherwise, it will be immediately killed by kernel on launch.
  An ad-hoc signature is sufficient.
  To do that, run pkg on a Mac, or transfer the executable to a Mac
  and run "codesign --sign - <executable>", or (if you use Linux)
  install "ldid" utility to PATH and then run pkg again

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
.github/workflows/release.yml	0% smaller

[greptile-apps]

Greptile Summary

This PR changes the release workflow to run on macos-latest instead of ubuntu-latest. This addresses the code signing requirement for macOS executables generated by @yao-pkg/pkg.

Key Changes:

• Changed runs-on from ubuntu-latest to macos-latest in .github/workflows/release.yml:19

Context:
When compiling macOS binaries on Linux, the @yao-pkg/pkg tool cannot properly code sign the executables. macOS has a mandatory code signing requirement where unsigned executables are immediately killed by the kernel on launch. By running the workflow on macOS, the binaries can be automatically signed (at minimum with an ad-hoc signature) during compilation, preventing runtime issues for users.

Impact:

• Fixes the code signing warning from PR refactor!: [ENG-2327] move from deno to node runtime #239
• Ensures macOS binaries are properly signed and executable on end-user machines
• May increase CI runtime costs slightly (macOS runners typically cost more than Linux runners)

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The change is a single-line modification that directly addresses a known issue with macOS binary code signing. The solution is straightforward and follows the recommended approach from the pkg tool documentation.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Changed runner from ubuntu-latest to macos-latest to enable proper code signing of macOS binaries during pkg compilation

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant macOS as macOS Runner
    participant Bun as Bun Runtime
    participant Pkg as @yao-pkg/pkg
    participant GH as GitHub Release
    
    GHA->>macOS: Trigger workflow (macos-latest)
    macOS->>macOS: Checkout repository
    macOS->>Bun: Setup Bun runtime
    macOS->>Bun: Install dependencies
    macOS->>Bun: Run lint & type check & tests
    macOS->>macOS: Configure Git credentials
    macOS->>Bun: Execute release.ts script
    Bun->>Bun: Bump version in package.json
    Bun->>Bun: Bundle with tsup
    loop For each target (linux-x64, linux-arm64, macos-x64, macos-arm64)
        Bun->>Pkg: Compile binary for target
        Pkg->>Pkg: Generate executable
        Note over Pkg: macOS binaries get ad-hoc signature automatically
        Pkg->>Bun: Return signed binary
        Bun->>Bun: Zip binary
    end
    Bun->>GH: Create GitHub release with binaries
    Bun->>macOS: Commit version bump
    macOS->>GHA: Push to main branch

Loading