You build on the CI, but then do the signing yourself on the machine which has the HSM... and then upload that as the release build...