[DEVOPS-1333] Add code signing to the Windows bws CLI (#534)

## Type of change

<!-- (mark with an `X`) -->

```
- [ ] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [x] Build/deploy pipeline (DevOps)
- [ ] Other
```

## Objective

<!--Describe what the purpose of this PR is. For example: what bug
you're fixing or what new feature you're adding-->

Digitally sign Windows CLI .exe executable to prevent warning showing up
on clients' computers while running `bws` commands.

## Code changes

<!--Explain the changes you've made to each file or major component.
This should help the reviewer understand your changes-->
<!--Also refer to any related changes or PRs in other repositories-->

- **.github/workflows/build-cli.yml:** 
  - split Windows and UNIX build jobs
- add steps to windows build job to login to Azure, get secrets from
KeyVault, install azuresigntool and use azuresigntool to sign windows
CLI artifact.

## Before you submit

- Please add **unit tests** where it makes sense to do so

---------

Co-authored-by: Vince Grassia <[email protected]>

.github/workflows/build-cli.yml

@@ -20,6 +20,7 @@ jobs:
     runs-on: ubuntu-22.04
     outputs:
       package_version: ${{ steps.retrieve-version.outputs.package_version }}
+      sign: ${{ steps.sign.outputs.sign }}
     steps:
       - name: Checkout repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -30,6 +31,16 @@ jobs:
           VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+")
           echo "package_version=$VERSION" >> $GITHUB_OUTPUT
 
+      - name: Sign if repo is owned by Bitwarden
+        id: sign
+        env:
+          REPO_OWNER: ${{ github.repository_owner }}
+        run: |
+          if [[ $REPO_OWNER == bitwarden ]]; then
+            echo "sign=true" >> $GITHUB_OUTPUT
+          fi
+          echo "sign=false" >> $GITHUB_OUTPUT
+
   build-windows:
     name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }}
     runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }}
@@ -66,11 +77,13 @@ jobs:
         run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }}
 
       - name: Login to Azure
+        if: ${{ needs.setup.outputs.sign == 'true' }}
         uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
       - name: Retrieve secrets
+        if: ${{ needs.setup.outputs.sign == 'true' }}
         id: retrieve-secrets-windows
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
@@ -82,9 +95,11 @@ jobs:
             code-signing-cert-name"
 
       - name: Install AST
+        if: ${{ needs.setup.outputs.sign == 'true' }}
         run: dotnet tool install --global AzureSignTool --version 4.0.1
 
       - name: Sign windows binary
+        if: ${{ needs.setup.outputs.sign == 'true' }}
         env:
           SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }}
           SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }}