Modernize release workflow

[jozefizso]

This PR modernizes the release.yml workflow.

It backports several changes from the v1.9.8 branch: #443, #457, #458, #459, #461, #462

Backported changes

#443 — Modernize release workflow for v1.9.x releases

The release workflow is modernized with support for Azure Trusted Signing and NuGet Trusted Publishing.
The workflow uses federated OIDC logins to Azure and NuGet to minimize secret tokens management.

Workflow is split to two parts. Release will build and digitally sign NetOffice assemblies
and it will create the legacy archive and all NuGet packages. As the Azure Trusted Signing uses
short lived three day certificates and the NuGet Gallery does not support the
Public Trust Identity EKU yet (see NuGet/NuGetGallery#10027),
developer must manually download the certificate artifact and upload the .cer file
to NuGet Account for NetOffice.

The nuget-gallery environment is gated by manual approval, so the second part of the release
workflow will run only after the certificate was uploaded to NuGet Gallery account.

#457 — Update build workflows

Update GitHub Actions used in build workflows.

#458 — Use azure/artifact-signing-action action to sign libraries

The azure/trusted-signing-action was rebranded to azure/artifact-signing-action.

#459 — Run builds on Windows Server 2025

Run builds on windows-2025 runner images.

#461 — Use BUILD_SIGN_RELEASE env variable in release.yml workflow

Use the BUILD_SIGN_RELEASE environment variable in the release.yml workflow.

#462 — Fix the certificate download link

Fix the certificate download link in the release workflow.

Additional changes

• Update actions in labels.yml workflow
• Update actions in tests.yml workflow
• Update workflow actions to latest releases (NodeJS 24 runtime)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3f5a5f5505

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use unique matrix outputs for NuGet artifact selection

release now runs a Debug and Release matrix, but both variants write the same job output key (nuget_packages_artifact_name). GitHub Actions does not guarantee matrix execution order, so the last completed variant overwrites this value. On tag builds, Debug and Release produce different package artifact names (preview vs stable), so publish can nondeterministically download the Debug artifact and publish preview packages to nuget.org.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Install signing tools regardless of cache-hit state

The signing tool install is skipped whenever the cache restores, but the cache key is static (dotnettools) and existed before this change when no tools were installed. A restored stale/empty cache therefore bypasses installation and leaves sign/nuget-cert-extractor unavailable, causing signing-related steps to fail whenever sign_binaries is enabled. Check tool presence/version (or version the cache key) instead of using cache-hit alone.

Useful? React with 👍 / 👎.