Self-packaging #9: CI cross-platform verification (Linux x86/ARM, macOS, Windows)

[jrosskopf]

Part of epic #40. Depends on #6 (integration tests) and #8 (macOS path).

Goal

Run the self-packaging integration tests on every platform flapi
already builds for, so regressions are caught before release.

Scope

Extend .github/workflows/build.yaml:

• Linux x86_64 (ubuntu-latest) — run
  pytest test/integration/test_self_packaging.py -v.
• Linux ARM64 (ubuntu-24.04-arm) — same.
• macOS ARM64 (macos-latest) — run both
  test_self_packaging.py and
  test_self_packaging_macos.py (codesign verification).
  • codesign --verify --deep --strict on the
    reserved-segment output is a hard fail.
  • --macos-append legacy path is a continue-on-error step
    that emits a GitHub-Actions warning when the signature fails
    (visibility, not blocker).
• Windows x64 (windows-latest) — PowerShell-equivalent of the
  round-trip script. The spike already has roundtrip.ps1 we can
  lift verbatim.

Reproducibility assertion (single CI step, any leg):

• flapi pack --in fixtures/ --out a.bin && flapi pack --in fixtures/ --out b.bin
• sha256sum a.bin b.bin → identical (SOURCE_DATE_EPOCH stamped,
  sorted entries).

Red criteria

• CI is initially red for all four legs on the branch where Flapi exe is not working for non docker local testing #6 and
  Offset parameter along with limit causes incorrect response #8 land. Goes green incrementally as those issues complete.

Green criteria

• All four legs green.
• Total added CI time per leg < 3 minutes (these tests should not
  meaningfully slow the build).
• Reproducibility check passes.

Files

• Modified: .github/workflows/build.yaml
• Possibly: .github/scripts/test-self-packaging-windows.ps1 if we
  lift the spike's PowerShell wrapper.