sign-binaries: false passes empty strings for TAURI_SIGNING_PRIVATE_KEY
and APPLE_CERTIFICATE, but Tauri treats a set-but-empty env var as a
signing attempt, causing all builds to fail. Use sign-binaries: true to
match pr-test-build.yml — secrets are already configured in the repo.
* ci: add full build and quality checks on push to main
Adds a new main-build.yml workflow that runs the full 7-platform build
matrix on every push to main, uploading artifacts for 30 days. Also
adds push-to-main triggers to code-quality, test, and nix-check
workflows. The nix full build now always runs on main pushes (not just
when nix packaging files change), catching the expensive breakage that
currently requires manual verification before each release.
* ci: fix permissions and clarify nix full-build intent
- narrow contents: write to contents: read in main-build.yml — no
release assets are uploaded here so write access is unnecessary
- update nix-check comment to reflect that the full build always runs
on push to main (not just when nix files change), matching intent