CI: Sign and notarize macOS builds on new tags

[DDRBoxman]

Description

If a new tag is created we now sign and notarize the osx build.

Motivation and Context

This should streamline making new releases

How Has This Been Tested?

Ran on staging branch, downloaded dmg and it was signed

Types of changes

Checklist:

• My code has been run through clang-format.
• I have read the contributing document.
• My code is not on the master branch.
• The code has been tested.
• All commit messages are properly formatted and commits squashed where appropriate.
• I have included updates to all appropriate documentation.

[PatTheMav]

@DDRBoxman Y u no use xcnotary? I added that to the brewfile for a reason. 😕

There's also a "proper" way to do notarisation on Github CI that doesn't require the base64 homebrew dependency and simplifies the process, I'll try to adapt this later tonight: https://github.com/PatTheMav/obs-websocket/blob/a479f529af1e5bf4214d39cec36fad6e6f101a14/.github/workflows/tag_release.yml#L395

In general notarising the dmg is enough because stapling will be applied recursively if done right, so running xcnotary on the dmg once is sufficient. I'd also suggest always codesigning on macOS anyway in prep for Apple Silicon which would also allow the dmg generated for nightlies to be codesigned (and then just be thrown at the notarisation process on a tag event).