Add macOS code signing and notarization by jeremy · Pull Request #185 · basecamp/basecamp-cli
added 3 commits
March 3, 2026 13:19
Use GoReleaser v2's native notarize.macos support (powered by embedded quill) to sign and notarize darwin binaries on the existing Ubuntu runner. The enabled gate requires all five MACOS_* secrets to be present, cleanly skipping for forks and local builds. Explicit ids: [basecamp] prevents accidental scope expansion if new build targets are added.
Pass MACOS_SIGN_P12, MACOS_SIGN_PASSWORD, MACOS_NOTARY_KEY, MACOS_NOTARY_KEY_ID, and MACOS_NOTARY_ISSUER_ID to GoReleaser. A preflight step on the canonical repo fails fast if any secret is missing, preventing silent publication of unsigned macOS binaries. Forks skip the check via github.repository guard. Bump release job timeout from 15m to 45m for notarization wait headroom.
The release workflow produces checksums.txt.bundle (cosign v2 bundle), not the separate .sig/.pem files the installer was trying to download. Switch to --bundle flag to match actual release assets.
Copilot AI review requested due to automatic review settings
March 3, 2026 21:20
GitHub Actions sets missing secrets as empty strings, so isEnvSet returns true even on forks without secrets configured. Switch to Go template truthiness (empty string is falsy) so the notarize block is skipped when secrets are absent.
Add `environment: release` to the release job so signing credentials are only accessible to that specific job context. Isolates the Developer ID cert and App Store Connect API key from other workflows.
Copilot AI review requested due to automatic review settings
March 3, 2026 23:19
jeremy
deleted the
apple-notarize
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters