build: automate macOS codesign + notarization via GitHub Actions

[justrach]

Status

Codesign is done (v0.2.3 uses Developer ID: Rachit Pradhan, WWP9DLJ27P). But notarization is missing — spctl --assess rejects the binary. Gatekeeper blocks it on first run.

What's needed

1. App Store Connect API key

• Go to https://appstoreconnect.apple.com/access/integrations/api
• Create a new key with "Developer" role
• Download the .p8 file
• Note the Key ID and Issuer ID

2. GitHub Actions secrets

Store these as repo secrets:

• APPLE_CERT_BASE64 — Developer ID cert exported as p12, base64 encoded
• APPLE_CERT_PASSWORD — password for the p12
• APPLE_API_KEY_ID — from App Store Connect
• APPLE_API_ISSUER_ID — from App Store Connect
• APPLE_API_KEY_BASE64 — the .p8 file, base64 encoded

3. GitHub Actions release workflow

name: release
on:
  push:
    tags: ['v*']

jobs:
  build-macos:
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Install Zig
        uses: mlugg/setup-zig@v1
        with:
          version: 0.15.2
      
      - name: Import certificate
        env:
          CERT: ${{ secrets.APPLE_CERT_BASE64 }}
          CERT_PASS: ${{ secrets.APPLE_CERT_PASSWORD }}
        run: |
          echo "$CERT" | base64 -d > cert.p12
          security create-keychain -p "" build.keychain
          security import cert.p12 -k build.keychain -P "$CERT_PASS" -T /usr/bin/codesign
          security set-keychain-settings build.keychain
          security list-keychains -s build.keychain
          security unlock-keychain -p "" build.keychain
          security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain
      
      - name: Build
        run: zig build -Doptimize=ReleaseFast
      
      - name: Codesign
        run: codesign -f -s "Developer ID Application: Rachit Pradhan (WWP9DLJ27P)" --options runtime zig-out/bin/codedb
      
      - name: Notarize
        env:
          API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
          API_ISSUER: ${{ secrets.APPLE_API_ISSUER_ID }}
          API_KEY: ${{ secrets.APPLE_API_KEY_BASE64 }}
        run: |
          echo "$API_KEY" | base64 -d > apikey.p8
          ditto -c -k zig-out/bin/codedb codedb.zip
          xcrun notarytool submit codedb.zip \
            --key apikey.p8 \
            --key-id "$API_KEY_ID" \
            --issuer "$API_ISSUER" \
            --wait
          xcrun stapler staple zig-out/bin/codedb || true
      
      - name: Upload
        uses: actions/upload-artifact@v4
        with:
          name: codedb-darwin-arm64
          path: zig-out/bin/codedb

  build-linux:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: mlugg/setup-zig@v1
        with:
          version: 0.15.2
      - run: zig build -Doptimize=ReleaseFast
      - uses: actions/upload-artifact@v4
        with:
          name: codedb-linux-x86_64
          path: zig-out/bin/codedb

  release:
    needs: [build-macos, build-linux]
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/download-artifact@v4
      - name: Rename
        run: |
          mv codedb-darwin-arm64/codedb codedb-darwin-arm64.bin
          mv codedb-linux-x86_64/codedb codedb-linux-x86_64.bin
      - uses: softprops/action-gh-release@v2
        with:
          files: |
            codedb-darwin-arm64.bin
            codedb-linux-x86_64.bin

4. Verification

After the workflow runs, verify:

spctl --assess --type execute codedb-darwin-arm64
# Should output: accepted
codesign -dvv codedb-darwin-arm64 | grep Authority
# Should show: Developer ID Application: Rachit Pradhan (WWP9DLJ27P)

Current state (v0.2.3)

• ✅ Codesign with Developer ID (WWP9DLJ27P)
• ❌ Not notarized (spctl rejects)
• ❌ No GitHub Actions automation