GPG artifact code signing should only be enabled in a release profile

[heuermh]

As an external developer, I shouldn't be code signing artifacts when running mvn package or mvn install locally, rather the maven-gpg-plugin should only be enabled in a release profile.

$ mvn install
...
[INFO] Building jar: /Users/heuermh/working/phenopacket-reference-implementation/target/phenopackets-api-0.0.5-SNAPSHOT-javadoc.jar
[INFO] 
[INFO] --- maven-gpg-plugin:1.5:sign (sign-artifacts) @ phenopackets-api ---
/bin/sh: gpg: command not found
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------

[cmungall]

Agreed - we'll look into this