feat: sign slck darwin binaries with a stable code-signing identity#185
Conversation
Add the darwin hooks.post to the slck-darwin build (runs the centralized codesign-darwin.sh via the absolute $CODESIGN_DARWIN_SCRIPT exported by open-cli-collective/.github macos-codesign-setup), forward the four macos-cert-* secrets to the reusable release workflow, and bump version.txt to 3.2 so the merge cuts a signed release (canary for the stable-code-signing rollout). Closes #184
|
Codex PR review (9a). STATUS: blockers=0 majors=0 minors=0 nits=0 — no findings. No findings. Verified against the actual repo files:
Operational note for merge: keep the squash title as |
monit-reviewer
left a comment
monit-reviewer
left a comment
There was a problem hiding this comment.
Automated PR Review
Reviewed commit: 5d0d396
Approved with 1 non-blocking suggestion below. Address at your discretion.
Summary
| Reviewer | Findings |
|---|---|
| harness-engineering:harness-enforcement-reviewer | 1 |
harness-engineering:harness-enforcement-reviewer (1 findings)
💡 Suggestion - .goreleaser.yaml:48
The hook silently skips signing when CODESIGN_DARWIN_SCRIPT is set but not executable ([ -x "$f" ] fails). A misconfigured CI environment produces an unsigned binary with only an informational echo and exit 0. The downstream darwin-gate check-signature enforces the DR before publish, so the binary won't ship unsigned, but there is no early fail-fast signal. Consider replacing the [ -x ] branch with a hard failure: '[ -n "$f" ] && { [ -x "$f" ] || { echo "CODESIGN_DARWIN_SCRIPT set but not executable: $f" >&2; exit 1; }; exec "$f" "$0" "$1"; }'.
1 PR discussion thread considered.
Completed in 1m 37s | $0.44 | sonnet | daemon 0.2.121 | Glorfindel
| Field | Value |
|---|---|
| Model | sonnet |
| Reviewers | hybrid-synthesis, harness-engineering:harness-architecture-reviewer, harness-engineering:harness-enforcement-reviewer, harness-engineering:harness-knowledge-reviewer |
| Engine | claude · sonnet |
| Reviewed by | pr-review-daemon · monit-pr-reviewer |
| Duration | 1m 37s wall · 3m 55s compute (Reviewers: 1m 24s · Synthesis: 10s) |
| Cost | $0.44 |
| Tokens | 157.5k in / 12.8k out |
| Turns | 10 |
Per-workstream usage
| Workstream | Model | In | Out | Cache read | Cache create | Cost |
|---|---|---|---|---|---|---|
| hybrid-synthesis | sonnet | 30.5k | 412 | 18.6k | 11.9k (1h) | $0.06 |
| harness-engineering:harness-architecture-reviewer | sonnet | 44.4k | 4.7k | 23.5k | 20.9k (1h) | $0.16 |
| harness-engineering:harness-enforcement-reviewer | sonnet | 39.9k | 4.5k | 30.0k | 9.9k (1h) | $0.12 |
| harness-engineering:harness-knowledge-reviewer | sonnet | 42.7k | 3.2k | 31.4k | 11.3k (1h) | $0.10 |
Re-reviews only run when @monit-reviewer is re-requested as a reviewer — push as many commits as you need, then re-request when ready. PRs targeting branches other than main, master are skipped, even when @monit-reviewer is re-requested.
2 participants
Canary for the stable macOS code-signing rollout (convention:
cli-commondistribution.md §2A; infra:open-cli-collective/.github#23, now on@v1). Givesslcka stable code-signing identity so the Keychain "Always Allow" grant survivesbrew upgrade.Changes
.goreleaser.yaml: add the darwinhooks.postto theslck-darwinbuild — runs the centralizedcodesign-darwin.shvia the absolute$CODESIGN_DARWIN_SCRIPT(exported bymacos-codesign-setup); no-ops in local builds..github/workflows/release.yml: forward the fourmacos-cert-*secrets to the reusable workflow (explicit pass-through).version.txt→3.2: trips the dual-gate auto-release so the merge cuts a signed release.On merge
Auto-release mints the tag →
release.ymlsigns the darwin binaries →darwin-gate check-signatureenforces the DR (certificate leaf = H"42e1afd0…", nocdhash) before publish. Verifying end-to-end here before the other tools.Expect a one-time final re-prompt for existing macOS users on first upgrade to the signed build.
Closes #184