What:

This PR Integrates the Notarization process in the Arduino CLI Relese pipeline.

Why:

As per Apple announcement:

Beginning in macOS 10.14.5, software signed with a new Developer ID certificate and all new or updated kernel extensions must be notarized to run. Beginning in macOS 10.15, all software built after June 1, 2019, and distributed with Developer ID must be notarized.

How:

The PR moves the responsibility of GitHub release creation and Arduino servers upload, from goreleaser to GH Actions steps, and adds the notarization step leveraging Gon (Thanks to @mitchellh and to @zmoog who discovered the tool 😄 )

The notarize-macos job must run on a macos-latest VM, in order to allow gon to orchestrate all the required notarization tools, this means that container steps cannot be used in the same job.
This is why the release pipeline is split in 3 jobs that share artifacts via the artifacts Github Actions feature.

A detailed explanation is required for the Notarize binary, re-package it and update checksum step, that configures the MacOs keychain with obscure osx commands and calls gon doing the following:

1. Download keychain from GH secrets and decode it from base64
2. Add the keychain to the system keychains and unlock it
3. Call Gon to start notarization process (using AC_USERNAME and AC_PASSWORD secrets)
4. Repackage the signed binary replaced in place by Gon (ignoring the output zip file)
5. Recalculate package checksum and replace it in the goreleaser nnnnnn-checksums.txt file

Pros:

This way we do not lose:

1. the "build reproducibility", because we still use goreleaser plus multiarch/crossbuild container to produce the artifacts
2. the automatic changelog generation from goreleaser
3. the automatic checksum file generation from goreleaser

Cons:

• We add a bit of complexity to the release workflow (that is acceptable in the end, having handy GitHub actions ready to use).
• We lost a portion of my mental health 😸