From 3c8559574fa7257c6f5f0f8180ad747912512364 Mon Sep 17 00:00:00 2001 From: Mariot Chauvin Date: Sun, 5 Apr 2026 12:27:12 +0100 Subject: [PATCH 1/7] ci: restore arm64 releases and notarize macOS builds --- .github/workflows/release-binaries.yml | 63 +++++++++++++++++++++++--- build.zig | 6 ++- 2 files changed, 62 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index 5e52421..614ebb7 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -39,11 +39,19 @@ jobs: asset_name: codedb-linux-x86_64 zig_archive: zig-x86_64-linux-0.15.2.tar.xz zig_dir: zig-x86_64-linux-0.15.2 + - runner: ubuntu-24.04 + zig_target: aarch64-linux + asset_name: codedb-linux-arm64 + zig_archive: zig-x86_64-linux-0.15.2.tar.xz + zig_dir: zig-x86_64-linux-0.15.2 env: RELEASE_TAG: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.event.release.tag_name }} - APPLE_CERTIFICATE_P12: ${{ secrets.APPLE_CERTIFICATE_P12 }} - APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} - CODEDB_CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_IDENTITY }} + APPLE_CERT_BASE64: ${{ secrets.APPLE_CERT_BASE64 }} + APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} + APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} + APPLE_API_ISSUER_ID: ${{ secrets.APPLE_API_ISSUER_ID }} + APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }} + CODEDB_CODESIGN_IDENTITY: "Developer ID Application: Rachit Pradhan (WWP9DLJ27P)" steps: - uses: actions/checkout@v4 with: @@ -58,8 +66,24 @@ jobs: tar -xf zig.tar.xz echo "$PWD/${{ matrix.zig_dir }}" >> "$GITHUB_PATH" + - name: Require macOS signing and notarization secrets + if: runner.os == 'macOS' + shell: bash + run: | + set -euo pipefail + missing=() + [[ -n "${APPLE_CERT_BASE64}" ]] || missing+=("APPLE_CERT_BASE64") + [[ -n "${APPLE_CERT_PASSWORD}" ]] || missing+=("APPLE_CERT_PASSWORD") + [[ -n "${APPLE_API_KEY_ID}" ]] || missing+=("APPLE_API_KEY_ID") + [[ -n "${APPLE_API_ISSUER_ID}" ]] || missing+=("APPLE_API_ISSUER_ID") + [[ -n "${APPLE_API_KEY_BASE64}" ]] || missing+=("APPLE_API_KEY_BASE64") + if (( ${#missing[@]} > 0 )); then + printf 'Missing required macOS release secrets: %s\n' "${missing[*]}" >&2 + exit 1 + fi + - name: Import Apple signing certificate - if: runner.os == 'macOS' && env.APPLE_CERTIFICATE_P12 != '' + if: runner.os == 'macOS' shell: bash run: | set -euo pipefail @@ -71,13 +95,13 @@ jobs: import os import pathlib pathlib.Path(os.environ["CERT_PATH"]).write_bytes( - base64.b64decode(os.environ["APPLE_CERTIFICATE_P12"]) + base64.b64decode(os.environ["APPLE_CERT_BASE64"]) ) PY security create-keychain -p "" "$KEYCHAIN_PATH" security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" security unlock-keychain -p "" "$KEYCHAIN_PATH" - security import "$CERT_PATH" -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" + security import "$CERT_PATH" -P "$APPLE_CERT_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" security list-keychains -d user -s "$KEYCHAIN_PATH" security default-keychain -s "$KEYCHAIN_PATH" security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "" "$KEYCHAIN_PATH" @@ -93,6 +117,33 @@ jobs: zig build -Doptimize=ReleaseFast -Dtarget=${{ matrix.zig_target }} "${codesign_arg[@]}" cp zig-out/bin/codedb "${{ matrix.asset_name }}" + - name: Notarize ${{ matrix.asset_name }} + if: runner.os == 'macOS' + shell: bash + run: | + set -euo pipefail + API_KEY_PATH="$RUNNER_TEMP/codedb-notary-key.p8" + export API_KEY_PATH + python3 - <<'PY' + import base64 + import os + import pathlib + pathlib.Path(os.environ["API_KEY_PATH"]).write_bytes( + base64.b64decode(os.environ["APPLE_API_KEY_BASE64"]) + ) + PY + chmod 600 "$API_KEY_PATH" + codesign --verify --verbose=2 "${{ matrix.asset_name }}" + ditto -c -k --keepParent "${{ matrix.asset_name }}" "${{ matrix.asset_name }}.zip" + xcrun notarytool submit "${{ matrix.asset_name }}.zip" \ + --key "$API_KEY_PATH" \ + --key-id "$APPLE_API_KEY_ID" \ + --issuer "$APPLE_API_ISSUER_ID" \ + --wait + xcrun stapler staple "${{ matrix.asset_name }}" || true + spctl --assess --type execute --verbose=4 "${{ matrix.asset_name }}" + rm -f "${{ matrix.asset_name }}.zip" "$API_KEY_PATH" + - name: Upload build artifact uses: actions/upload-artifact@v4 with: diff --git a/build.zig b/build.zig index bd3b3b0..e21a541 100644 --- a/build.zig +++ b/build.zig @@ -34,7 +34,11 @@ pub fn build(b: *std.Build) void { // ── macOS codesign (ad-hoc by default; configurable for release builds) ── if (target.result.os.tag == .macos and builtin.os.tag == .macos) { - const codesign = b.addSystemCommand(&.{ "codesign", "-f", "-s", codesign_identity }); + const codesign_args = if (std.mem.eql(u8, codesign_identity, "-")) + &.{ "codesign", "-f", "-s", codesign_identity } + else + &.{ "codesign", "-f", "-s", codesign_identity, "--options", "runtime", "--timestamp" }; + const codesign = b.addSystemCommand(codesign_args); codesign.addArtifactArg(exe); b.getInstallStep().dependOn(&codesign.step); } From e454c72e1a5a537f29f42b591c9a444a199c1686 Mon Sep 17 00:00:00 2001 From: Mariot Chauvin Date: Sun, 5 Apr 2026 13:43:44 +0100 Subject: [PATCH 2/7] ci: scope Apple secrets to macOS steps --- .github/workflows/release-binaries.yml | 38 ++++++++++++++++++-------- 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index 614ebb7..cfa2ded 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -46,12 +46,6 @@ jobs: zig_dir: zig-x86_64-linux-0.15.2 env: RELEASE_TAG: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.event.release.tag_name }} - APPLE_CERT_BASE64: ${{ secrets.APPLE_CERT_BASE64 }} - APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} - APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} - APPLE_API_ISSUER_ID: ${{ secrets.APPLE_API_ISSUER_ID }} - APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }} - CODEDB_CODESIGN_IDENTITY: "Developer ID Application: Rachit Pradhan (WWP9DLJ27P)" steps: - uses: actions/checkout@v4 with: @@ -68,6 +62,12 @@ jobs: - name: Require macOS signing and notarization secrets if: runner.os == 'macOS' + env: + APPLE_CERT_BASE64: ${{ secrets.APPLE_CERT_BASE64 }} + APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} + APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} + APPLE_API_ISSUER_ID: ${{ secrets.APPLE_API_ISSUER_ID }} + APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }} shell: bash run: | set -euo pipefail @@ -84,6 +84,9 @@ jobs: - name: Import Apple signing certificate if: runner.os == 'macOS' + env: + APPLE_CERT_BASE64: ${{ secrets.APPLE_CERT_BASE64 }} + APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} shell: bash run: | set -euo pipefail @@ -106,19 +109,30 @@ jobs: security default-keychain -s "$KEYCHAIN_PATH" security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "" "$KEYCHAIN_PATH" - - name: Build ${{ matrix.asset_name }} + - name: Build ${{ matrix.asset_name }} (macOS) + if: runner.os == 'macOS' + env: + CODEDB_CODESIGN_IDENTITY: "${{ secrets.APPLE_CODESIGN_IDENTITY != '' && secrets.APPLE_CODESIGN_IDENTITY || 'Developer ID Application: Rachit Pradhan (WWP9DLJ27P)' }}" shell: bash run: | set -euo pipefail - codesign_arg=() - if [[ "${{ runner.os }}" == "macOS" ]] && grep -q 'codesign-identity' build.zig; then - codesign_arg=(-Dcodesign-identity="${CODEDB_CODESIGN_IDENTITY:-"-"}") - fi - zig build -Doptimize=ReleaseFast -Dtarget=${{ matrix.zig_target }} "${codesign_arg[@]}" + zig build -Doptimize=ReleaseFast -Dtarget=${{ matrix.zig_target }} -Dcodesign-identity="${CODEDB_CODESIGN_IDENTITY}" + cp zig-out/bin/codedb "${{ matrix.asset_name }}" + + - name: Build ${{ matrix.asset_name }} (Linux) + if: runner.os != 'macOS' + shell: bash + run: | + set -euo pipefail + zig build -Doptimize=ReleaseFast -Dtarget=${{ matrix.zig_target }} cp zig-out/bin/codedb "${{ matrix.asset_name }}" - name: Notarize ${{ matrix.asset_name }} if: runner.os == 'macOS' + env: + APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} + APPLE_API_ISSUER_ID: ${{ secrets.APPLE_API_ISSUER_ID }} + APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }} shell: bash run: | set -euo pipefail From a97a29f9945bb3cd674358f26562b80da24e3598 Mon Sep 17 00:00:00 2001 From: Mariot Chauvin Date: Sun, 5 Apr 2026 13:49:24 +0100 Subject: [PATCH 3/7] ci: keep existing Apple cert secret names --- .github/workflows/release-binaries.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index cfa2ded..a772f3f 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -63,8 +63,8 @@ jobs: - name: Require macOS signing and notarization secrets if: runner.os == 'macOS' env: - APPLE_CERT_BASE64: ${{ secrets.APPLE_CERT_BASE64 }} - APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} + APPLE_CERTIFICATE_P12: ${{ secrets.APPLE_CERTIFICATE_P12 }} + APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} APPLE_API_ISSUER_ID: ${{ secrets.APPLE_API_ISSUER_ID }} APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }} @@ -72,8 +72,8 @@ jobs: run: | set -euo pipefail missing=() - [[ -n "${APPLE_CERT_BASE64}" ]] || missing+=("APPLE_CERT_BASE64") - [[ -n "${APPLE_CERT_PASSWORD}" ]] || missing+=("APPLE_CERT_PASSWORD") + [[ -n "${APPLE_CERTIFICATE_P12}" ]] || missing+=("APPLE_CERTIFICATE_P12") + [[ -n "${APPLE_CERTIFICATE_PASSWORD}" ]] || missing+=("APPLE_CERTIFICATE_PASSWORD") [[ -n "${APPLE_API_KEY_ID}" ]] || missing+=("APPLE_API_KEY_ID") [[ -n "${APPLE_API_ISSUER_ID}" ]] || missing+=("APPLE_API_ISSUER_ID") [[ -n "${APPLE_API_KEY_BASE64}" ]] || missing+=("APPLE_API_KEY_BASE64") @@ -85,8 +85,8 @@ jobs: - name: Import Apple signing certificate if: runner.os == 'macOS' env: - APPLE_CERT_BASE64: ${{ secrets.APPLE_CERT_BASE64 }} - APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }} + APPLE_CERTIFICATE_P12: ${{ secrets.APPLE_CERTIFICATE_P12 }} + APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} shell: bash run: | set -euo pipefail @@ -98,13 +98,13 @@ jobs: import os import pathlib pathlib.Path(os.environ["CERT_PATH"]).write_bytes( - base64.b64decode(os.environ["APPLE_CERT_BASE64"]) + base64.b64decode(os.environ["APPLE_CERTIFICATE_P12"]) ) PY security create-keychain -p "" "$KEYCHAIN_PATH" security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" security unlock-keychain -p "" "$KEYCHAIN_PATH" - security import "$CERT_PATH" -P "$APPLE_CERT_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" + security import "$CERT_PATH" -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" security list-keychains -d user -s "$KEYCHAIN_PATH" security default-keychain -s "$KEYCHAIN_PATH" security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "" "$KEYCHAIN_PATH" From e78f0965e9a713940d62ae1d126d5d58d1456ebe Mon Sep 17 00:00:00 2001 From: Mariot Chauvin Date: Sun, 5 Apr 2026 15:48:36 +0100 Subject: [PATCH 4/7] ci: support legacy tags in macOS release job --- .github/workflows/release-binaries.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index a772f3f..36871b6 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -116,9 +116,22 @@ jobs: shell: bash run: | set -euo pipefail - zig build -Doptimize=ReleaseFast -Dtarget=${{ matrix.zig_target }} -Dcodesign-identity="${CODEDB_CODESIGN_IDENTITY}" + codesign_args=() + if grep -q 'codesign-identity' build.zig; then + codesign_args=(-Dcodesign-identity="${CODEDB_CODESIGN_IDENTITY}") + fi + zig build -Doptimize=ReleaseFast -Dtarget=${{ matrix.zig_target }} "${codesign_args[@]}" cp zig-out/bin/codedb "${{ matrix.asset_name }}" + - name: Re-sign ${{ matrix.asset_name }} for notarization + if: runner.os == 'macOS' + env: + CODEDB_CODESIGN_IDENTITY: "${{ secrets.APPLE_CODESIGN_IDENTITY != '' && secrets.APPLE_CODESIGN_IDENTITY || 'Developer ID Application: Rachit Pradhan (WWP9DLJ27P)' }}" + shell: bash + run: | + set -euo pipefail + codesign -f -s "${CODEDB_CODESIGN_IDENTITY}" --options runtime --timestamp "${{ matrix.asset_name }}" + - name: Build ${{ matrix.asset_name }} (Linux) if: runner.os != 'macOS' shell: bash From 14bf78bbde320135da1ed16b4915c23b62a91882 Mon Sep 17 00:00:00 2001 From: Mariot Chauvin Date: Sun, 5 Apr 2026 20:49:01 +0100 Subject: [PATCH 5/7] ci: use Apple action for codesign cert import --- .github/workflows/release-binaries.yml | 28 ++++---------------------- 1 file changed, 4 insertions(+), 24 deletions(-) diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index 36871b6..46f844d 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -84,30 +84,10 @@ jobs: - name: Import Apple signing certificate if: runner.os == 'macOS' - env: - APPLE_CERTIFICATE_P12: ${{ secrets.APPLE_CERTIFICATE_P12 }} - APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} - shell: bash - run: | - set -euo pipefail - CERT_PATH="$RUNNER_TEMP/codedb-signing.p12" - KEYCHAIN_PATH="$RUNNER_TEMP/codedb-signing.keychain-db" - export CERT_PATH - python3 - <<'PY' - import base64 - import os - import pathlib - pathlib.Path(os.environ["CERT_PATH"]).write_bytes( - base64.b64decode(os.environ["APPLE_CERTIFICATE_P12"]) - ) - PY - security create-keychain -p "" "$KEYCHAIN_PATH" - security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" - security unlock-keychain -p "" "$KEYCHAIN_PATH" - security import "$CERT_PATH" -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" - security list-keychains -d user -s "$KEYCHAIN_PATH" - security default-keychain -s "$KEYCHAIN_PATH" - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "" "$KEYCHAIN_PATH" + uses: apple-actions/import-codesign-certs@v5 + with: + p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }} + p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} - name: Build ${{ matrix.asset_name }} (macOS) if: runner.os == 'macOS' From 902cdf9ad103d79fda97aa6797d2633aff5d8a7f Mon Sep 17 00:00:00 2001 From: Mariot Chauvin Date: Sun, 5 Apr 2026 20:49:43 +0100 Subject: [PATCH 6/7] ci: move notarization logic into script --- .github/workflows/release-binaries.yml | 22 +------------ scripts/notarize-macos.sh | 44 ++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 21 deletions(-) create mode 100644 scripts/notarize-macos.sh diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index 46f844d..f8a9e91 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -129,27 +129,7 @@ jobs: shell: bash run: | set -euo pipefail - API_KEY_PATH="$RUNNER_TEMP/codedb-notary-key.p8" - export API_KEY_PATH - python3 - <<'PY' - import base64 - import os - import pathlib - pathlib.Path(os.environ["API_KEY_PATH"]).write_bytes( - base64.b64decode(os.environ["APPLE_API_KEY_BASE64"]) - ) - PY - chmod 600 "$API_KEY_PATH" - codesign --verify --verbose=2 "${{ matrix.asset_name }}" - ditto -c -k --keepParent "${{ matrix.asset_name }}" "${{ matrix.asset_name }}.zip" - xcrun notarytool submit "${{ matrix.asset_name }}.zip" \ - --key "$API_KEY_PATH" \ - --key-id "$APPLE_API_KEY_ID" \ - --issuer "$APPLE_API_ISSUER_ID" \ - --wait - xcrun stapler staple "${{ matrix.asset_name }}" || true - spctl --assess --type execute --verbose=4 "${{ matrix.asset_name }}" - rm -f "${{ matrix.asset_name }}.zip" "$API_KEY_PATH" + bash scripts/notarize-macos.sh "${{ matrix.asset_name }}" - name: Upload build artifact uses: actions/upload-artifact@v4 diff --git a/scripts/notarize-macos.sh b/scripts/notarize-macos.sh new file mode 100644 index 0000000..468b7b8 --- /dev/null +++ b/scripts/notarize-macos.sh @@ -0,0 +1,44 @@ +#!/usr/bin/env bash +set -euo pipefail + +if [[ $# -ne 1 ]]; then + echo "usage: $0 " >&2 + exit 1 +fi + +binary_path="$1" + +: "${APPLE_API_KEY_ID:?APPLE_API_KEY_ID is required}" +: "${APPLE_API_ISSUER_ID:?APPLE_API_ISSUER_ID is required}" +: "${APPLE_API_KEY_BASE64:?APPLE_API_KEY_BASE64 is required}" + +tmp_dir="$(mktemp -d "${TMPDIR:-/tmp}/codedb-notary.XXXXXX")" +api_key_path="$tmp_dir/codedb-notary-key.p8" +zip_path="$tmp_dir/$(basename "$binary_path").zip" +export API_KEY_PATH="$api_key_path" + +cleanup() { + rm -rf "$tmp_dir" +} +trap cleanup EXIT + +python3 - <<'PY' +import base64 +import os +import pathlib + +pathlib.Path(os.environ["API_KEY_PATH"]).write_bytes( + base64.b64decode(os.environ["APPLE_API_KEY_BASE64"]) +) +PY + +chmod 600 "$api_key_path" +codesign --verify --verbose=2 "$binary_path" +ditto -c -k --keepParent "$binary_path" "$zip_path" +xcrun notarytool submit "$zip_path" \ + --key "$api_key_path" \ + --key-id "$APPLE_API_KEY_ID" \ + --issuer "$APPLE_API_ISSUER_ID" \ + --wait +xcrun stapler staple "$binary_path" || true +spctl --assess --type execute --verbose=4 "$binary_path" From cdf459f1e1f7b8d81fe434ea1cf1088e0c8ad166 Mon Sep 17 00:00:00 2001 From: Mariot Chauvin Date: Sun, 5 Apr 2026 21:42:29 +0100 Subject: [PATCH 7/7] ci: fetch notarization helper for legacy tags --- .github/workflows/release-binaries.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index f8a9e91..d8de765 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -60,6 +60,18 @@ jobs: tar -xf zig.tar.xz echo "$PWD/${{ matrix.zig_dir }}" >> "$GITHUB_PATH" + - name: Fetch notarization helper from main + if: runner.os == 'macOS' + shell: bash + env: + GH_TOKEN: ${{ github.token }} + run: | + set -euo pipefail + mkdir -p scripts + gh api repos/${{ github.repository }}/contents/scripts/notarize-macos.sh \ + -H "Accept: application/vnd.github.raw" > scripts/notarize-macos.sh + chmod +x scripts/notarize-macos.sh + - name: Require macOS signing and notarization secrets if: runner.os == 'macOS' env: