Use Azure Trusted Signing when available

[speednoisemovement]

This change uses Azure Trusted Signing to sign all WiX-based outputs if:

1. inputs.signed is true
2. The TRUSTED_SIGNING_ACCOUNT secret is set for the repository.

The following secrets are required:

• AZURE_SP_CREDENTIALS: JSON credentials for an Azure Service Principal with Trusted Signing Certificate Profile Signer roles on the given trusted signing account and certificate profiles
• TRUSTED_SIGNING_ACCOUNT, an Azure Trusted Signing Account which owns TRUSTED_SIGNING_PROD_PROFILE (and TRUSTED_SIGNING_TEST_PROFILE when used)
• TRUSTED_SIGNING_PROD_PROFILE, a non-test certificate profile

and optionally

• TRUSTED_SIGNING_TEST_PROFILE, which isn't actively used in the workflow, but is helpful to have in development.

[Steelskin]

Thank you! So happy to see this finally happening.

[compnerd]

If you want to reduce duplication, one option would be to create the signing metadata once and share that across the jobs in the setup for the signing.

[speednoisemovement]

If you want to reduce duplication, one option would be to create the signing metadata once and share that across the jobs in the setup for the signing.

I don't want to write secrets to disk. I had the template as an env originally, but it broke the env copying code in gha-setup-swift. To be fair, these are not the most secret of secrets, but there's some info disclosure risk so I'm playing it safe.