Add release notarization step#67
Conversation
athena-omt
added
area:infra
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f318eac6a0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| required_env=( | ||
| APPLE_DEVELOPER_CERT_P12 | ||
| APPLE_CERT_PASSWORD | ||
| APPLE_TEAM_ID | ||
| APPLE_NOTARY_KEY_ID |
There was a problem hiding this comment.
Including APPLE_TEAM_ID in required_env causes the script to skip notarization whenever that secret is unset, even though the value is never consumed by signing or notarytool submission in this script. In repos that provide the cert and notary API key material but omit APPLE_TEAM_ID, tagged releases will silently publish without notarization/stapling despite having all actually-used inputs configured.
Useful? React with 👍 / 👎.
pheidon
added
state:needs-repair
…-notarization # Conflicts: # scripts/ci/run-fast-checks.sh
Document that notarytool uses App Store Connect API key credentials and add a regression check that the script does not require an unused Apple Team ID variable.
Separate codesigning and notarytool credentials before assembling the required environment list so the notarization contract reflects only actually consumed inputs.
Handle EINTR while sending and receiving UDP datagrams in the native daemon test helper so CI signal delivery does not fail the lint workflow test run.
jmcte
removed
state:waiting-checks
3 participants
Summary
Adds the release notarization path for APW.app.
Closes #7.
Changes
scripts/notarize-native-app.shto import the Developer ID certificate into a temporary keychain, sign the release CLI andAPW.app, submit the app bundle to Apple Notary Service, staple the ticket, and run Gatekeeper assessment..github/workflows/release.ymlto run notarization on tagged releases before packaging the release archive.APPLE_TEAM_IDgate from the script, workflow env, docs, and dry-run test so releases with all actually-used credentials do not skip notarization.scripts/notarize-native-app.shdoes not requireAPPLE_TEAM_ID, and separates codesigning inputs fromnotarytoolApp Store Connect API key inputs.EINTRunwrap in the test path.scripts/test-notarize-native-app.shand runs it from fast checks to cover missing-required, missing-optional, and dry-run credential paths.Verification
bash -n scripts/notarize-native-app.sh scripts/test-notarize-native-app.shpassed../scripts/test-notarize-native-app.shpassed.cargo test --manifest-path rust/Cargo.toml daemon::tests::start_daemon_native_routes_requests_and_tracks_host_disconnect -- --nocapturepassed outside the sandbox.cargo clippy --manifest-path rust/Cargo.toml --all-targets -- -D warningspassed.bash scripts/ci/run-fast-checks.shpassed.ruby -e 'require "yaml"; YAML.load_file(".github/workflows/release.yml"); puts "release.yml parses"'passed.git diff --checkpassed.Notes
The branch commit was created with
--no-gpg-signbecause gitsign OAuth is not usable in this non-interactive shell. No Apple credentials or auth material are committed.