From 5d0d396de6e94c795313d02c619d193854ceeb05 Mon Sep 17 00:00:00 2001 From: Rian Stockbower Date: Wed, 3 Jun 2026 15:59:27 -0400 Subject: [PATCH] feat: sign slck darwin binaries with a stable code-signing identity Add the darwin hooks.post to the slck-darwin build (runs the centralized codesign-darwin.sh via the absolute $CODESIGN_DARWIN_SCRIPT exported by open-cli-collective/.github macos-codesign-setup), forward the four macos-cert-* secrets to the reusable release workflow, and bump version.txt to 3.2 so the merge cuts a signed release (canary for the stable-code-signing rollout). Closes #184 --- .github/workflows/release.yml | 4 ++++ .goreleaser.yaml | 7 +++++++ version.txt | 2 +- 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 313d9b2..d707ea1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -37,3 +37,7 @@ jobs: chocolatey-api-key: ${{ secrets.CHOCOLATEY_API_KEY }} winget-token: ${{ secrets.WINGET_GITHUB_TOKEN }} linux-dispatch-token: ${{ secrets.LINUX_PACKAGES_DISPATCH_TOKEN }} + macos-cert-p12: ${{ secrets.MACOS_CERT_P12 }} + macos-cert-password: ${{ secrets.MACOS_CERT_PASSWORD }} + macos-cert-cn: ${{ secrets.MACOS_CERT_CN }} + macos-cert-leaf-sha: ${{ secrets.MACOS_CERT_LEAF_SHA }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 747988b..d5efb2d 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -42,6 +42,13 @@ builds: - -X github.com/open-cli-collective/slack-chat-api/internal/version.Version={{.Version}} - -X github.com/open-cli-collective/slack-chat-api/internal/version.Commit={{.Commit}} - -X github.com/open-cli-collective/slack-chat-api/internal/version.Date={{.Date}} + # macOS code-signing — stable DR so Keychain "Always Allow" survives brew upgrade + # (cli-common distribution.md §2A). Logic + identity live in open-cli-collective/.github + # (macos-codesign-setup), which exports CODESIGN_DARWIN_SCRIPT (absolute). Unset in + # local builds → signing skipped. + hooks: + post: + - cmd: bash -c 'f="${CODESIGN_DARWIN_SCRIPT:-}"; [ -n "$f" ] && [ -x "$f" ] && exec "$f" "$0" "$1"; echo "skip codesign (no CODESIGN_DARWIN_SCRIPT)"' "{{ .Path }}" "{{ .Os }}" - id: slck-unix-win main: ./cmd/slck binary: slck diff --git a/version.txt b/version.txt index 8c50098..a3ec5a4 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -3.1 +3.2