Depending on your threat model I think that signing packages directly from your CI is acceptable, assuming that your CI runs is a reasonably isolated environment (e.g. on your company's LAN) and people who are able to trigger a release are correctly vetted.
If I understand the parent comment correctly they were somehow shipping the release signing key on their production environment which is a whole other level of bad.
If I understand the parent comment correctly they were somehow shipping the release signing key on their production environment which is a whole other level of bad.