Why so? If I am assuming that the servers and the developers machines are not compromised, I don’t see a problem with automating the signing as well.
However, even when assuming them all to be trusted, it doesn’t protect me against an attacker (e.g. some state-level attacker) that cracks HTTPS using its own controlled certificate authorities to issue wrong certicifates trusted by my browser and then executes the usual man-in-the-middle or man-on-the-side attack.
That is why e.g. Qubes OS, Tails, Subgraph OS, Debian, … all have signed releases. Therefore I feel much saver to install a plain debian and perhaps do some hardening myself, then to install a Pure OS, in which case I can’t even trust the installation medium.