I haven't tried it myself, but it seems like that should be possible?

> You can sign Xcode apps within your continuous integration (CI) workflow by installing an Apple code signing certificate on GitHub Actions runners.

https://docs.github.com/en/actions/use-cases-and-examples/de...

This costs money, requires some agreement signing and can "dox" developers, so not everyone wants a cert.

That is chef's kiss right there.

Security or authenticity is prevented by a security or authenticity policy.

This is common. Sometimes a security policy works (e.g. a password length requirement may cause people to come up with stronger password) and sometimes people consider it excessive and prefer to work around it (e.g. a password length requirement may cause people to write the password down on a sticky note and attach it to the computer screen).