From d42d9e06c56d51fc0a445ebe5f1b047b322def49 Mon Sep 17 00:00:00 2001 From: omar-hernandez-bastos Date: Tue, 14 Jul 2026 22:17:54 +0200 Subject: [PATCH] ci: sign and notarize the macOS build Adds Apple Developer ID codesigning + notarization to the macOS matrix job via tauri-action's built-in APPLE_* env vars (tauri-bundler handles the temporary keychain import and notarytool call itself). Windows/Linux jobs and the winget submission are untouched. Requires 5 new repo secrets: APPLE_CERTIFICATE_P12_BASE64, APPLE_CERTIFICATE_PASSWORD, APPLE_API_KEY_ID, APPLE_API_ISSUER_ID, APPLE_API_KEY_P8_BASE64. --- .github/workflows/release.yml | 23 ++++++++++++++++++++++- README.md | 2 +- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0eb1f24..faaeaa4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,14 +48,35 @@ jobs: - run: npm ci + # Apple's notarization API key is a file path, not an inline value — + # decode it once here so the tauri-action step below can point + # APPLE_API_KEY_PATH at it. No-op on Windows/Linux (the secret is only + # consumed by the macOS codesign/notarize step in tauri-bundler). + - name: Decode Apple notarization API key + if: matrix.platform == 'macos-latest' + run: | + KEY_PATH="$RUNNER_TEMP/AppleAPIKey.p8" + echo "${{ secrets.APPLE_API_KEY_P8_BASE64 }}" | base64 --decode -o "$KEY_PATH" + echo "APPLE_API_KEY_PATH=$KEY_PATH" >> "$GITHUB_ENV" + # tauri-action builds, signs the updater artifacts, and uploads every # matrix job's installers to the same tag release; latest.json is - # merged across platforms. + # merged across platforms. On macOS it also codesigns + notarizes the + # .dmg/.app when the APPLE_* env vars below are present (tauri-bundler + # imports the certificate into a temporary keychain and calls + # notarytool itself — no manual codesign/notarytool steps needed here). - uses: tauri-apps/tauri-action@v0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: "" + APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE_P12_BASE64 }} + APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} + APPLE_SIGNING_IDENTITY: "Developer ID Application: Omar Jesus Hernandez Bastos (C34D3V8484)" + APPLE_TEAM_ID: C34D3V8484 + APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER_ID }} + APPLE_API_KEY: ${{ secrets.APPLE_API_KEY_ID }} + APPLE_API_KEY_PATH: ${{ env.APPLE_API_KEY_PATH }} with: tagName: ${{ github.ref_name }} releaseName: "AFKode ${{ github.ref_name }}" diff --git a/README.md b/README.md index 8193e50..ec4e64f 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ An in-game overlay to supervise AI coding agents — Claude Code, OpenCode, Code | OS | How | |---|---| | **Windows** | `winget install OmarHernandez.AFKode` — or the NSIS installer from [Releases](https://github.com/ohernandezdev/afkode/releases) | -| **macOS** | Download the `.dmg` from [Releases](https://github.com/ohernandezdev/afkode/releases), drag to Applications. Unsigned for now: right-click → Open on first launch (or `xattr -dr com.apple.quarantine /Applications/AFKode.app`) | +| **macOS** | Download the `.dmg` from [Releases](https://github.com/ohernandezdev/afkode/releases), drag to Applications, open it. Signed and notarized — no right-click workaround needed. | | **Linux** | `.AppImage` (self-updating) or `.deb`/`.rpm` from [Releases](https://github.com/ohernandezdev/afkode/releases) | AFKode checks for updates on startup and installs them after you confirm (signed updater artifacts). Agent CLIs (Claude Code, OpenCode, Codex) are detected on your system; install the ones you want with their official instructions and their launcher buttons appear.