I ultimately concluded the automation was too much work and I didn't want to figure it out. I bought the Sectigo cert (they will sell code signing certs to individuals) with the USB dongle and installed their crappy software (SafeNet Authentication Client), and I manually sign builds from GitHub Actions on my workstation with "signtool."