You could use this in addition to regular macOS machines. You can run tests from un-trusted branches, without worrying that something will expose the signing keys.
Then after merging, you have a second machine / set of machines that only does signing. It increases the difficulty of an accidental or intentional leakage of your sensitive keys.
Then after merging, you have a second machine / set of machines that only does signing. It increases the difficulty of an accidental or intentional leakage of your sensitive keys.
(Note: I have not tested this yet)