Add macOS code signing and notarization to release workflow#338
Add macOS code signing and notarization to release workflow#338forketyfork wants to merge 2 commits into
Conversation
Co-Authored-By: Claude <claude@air.dev>
There was a problem hiding this comment.
Pull request overview
Adds Developer ID code signing and Apple notarization to the macOS release pipeline so published release archives should pass Gatekeeper by default.
Changes:
- Introduces a
scripts/notarize-macos.shhelper to submit, wait, staple, and validate notarization forArchitect.app. - Updates
scripts/bundle-macos.shto support real Developer ID signing viaAPPLE_SIGNING_IDENTITY(while keeping ad-hoc signing as the local default). - Extends the GitHub Actions release workflow to import signing certs, notarize per-arch artifacts, and updates documentation accordingly.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/notarize-macos.sh | New script to zip, submit, staple, and validate notarization for the app bundle. |
| scripts/bundle-macos.sh | Adds support for Developer ID signing (runtime + timestamp) and centralizes signing logic. |
| README.md | Updates macOS install notes to reflect notarized release artifacts; clarifies Homebrew/source behavior. |
| docs/development.md | Documents required APPLE_* secrets and one-time setup steps for signing/notarization. |
| CLAUDE.md | Adds a repo note capturing the new release workflow signing/notarization requirements. |
| .github/workflows/release.yaml | Imports signing certs, notarizes the app, and adjusts timeouts and release packaging flow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7819de4406
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Pass secrets via env: instead of interpolating ${{ secrets.* }} directly
into the shell script (Copilot/Codex flagged the secrets-verification step
as vulnerable to metacharacter breakage). Also harden temp key material
handling with umask-restricted writes and EXIT traps so the .p12/.p8 files
are cleaned up even if a step fails partway through.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
No description provided.