Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions .github/workflows/dev-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,7 @@ jobs:
run: |
bash scripts/test/desktop_updater_config_test.sh
bash scripts/test/go_test_with_retry_test.sh
bash scripts/test/notarize_macos_test.sh
bash scripts/test/release_apple_signing_test.sh
bash scripts/test/release_no_apple_signing_test.sh
bash scripts/test/release_updater_signing_key_test.sh
bash scripts/test/release_version_helpers_test.sh
bash scripts/test/sync_release_metadata_test.sh
Expand Down
65 changes: 1 addition & 64 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,7 @@ jobs:
run: |
bash scripts/test/desktop_updater_config_test.sh
bash scripts/test/go_test_with_retry_test.sh
bash scripts/test/notarize_macos_test.sh
bash scripts/test/release_apple_signing_test.sh
bash scripts/test/release_no_apple_signing_test.sh
bash scripts/test/release_updater_signing_key_test.sh
bash scripts/test/release_version_helpers_test.sh
bash scripts/test/sync_release_metadata_test.sh
Expand Down Expand Up @@ -134,68 +133,6 @@ jobs:
--target "${{ matrix.tauri_target }}" \
--bundles "${{ matrix.bundles }}"

- name: Prepare notarization key
if: matrix.release_platform == 'macos'
env:
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
run: |
if [[ -z "${APPLE_API_KEY:-}" || -z "${APPLE_API_KEY_ID:-}" || -z "${APPLE_API_ISSUER:-}" ]]; then
echo "Missing Apple notarization secrets. Required: APPLE_API_KEY, APPLE_API_KEY_ID, APPLE_API_ISSUER" >&2
exit 1
fi
key_path="$RUNNER_TEMP/AuthKey.p8"
printf '%s' "$APPLE_API_KEY" >"$key_path"
echo "APPLE_API_KEY_PATH=$key_path" >>"$GITHUB_ENV"

- name: Import Apple signing certificate
if: matrix.release_platform == 'macos'
env:
APPLE_CERTIFICATE_P12: ${{ secrets.APPLE_CERTIFICATE_P12 }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
run: |
if [[ -z "${APPLE_CERTIFICATE_P12:-}" || -z "${APPLE_CERTIFICATE_PASSWORD:-}" || -z "${APPLE_SIGNING_IDENTITY:-}" ]]; then
echo "Missing Apple signing secrets. Required: APPLE_CERTIFICATE_P12, APPLE_CERTIFICATE_PASSWORD, APPLE_SIGNING_IDENTITY" >&2
exit 1
fi

apple_cert_path="$RUNNER_TEMP/apple-signing-cert.p12"
APPLE_CERTIFICATE_P12="$APPLE_CERTIFICATE_P12" python3 -c 'import base64, os, sys; payload = os.environ.get("APPLE_CERTIFICATE_P12", ""); sys.exit("APPLE_CERTIFICATE_P12 is empty") if not payload else None; sys.stdout.buffer.write(base64.b64decode(payload, validate=True))' >"$apple_cert_path"

APPLE_KEYCHAIN_PASSWORD="$(openssl rand -hex 20)"
APPLE_KEYCHAIN_PATH="$RUNNER_TEMP/apple-signing.keychain-db"

security create-keychain -p "$APPLE_KEYCHAIN_PASSWORD" "$APPLE_KEYCHAIN_PATH"
security set-keychain-settings -lut 21600 "$APPLE_KEYCHAIN_PATH"
security unlock-keychain -p "$APPLE_KEYCHAIN_PASSWORD" "$APPLE_KEYCHAIN_PATH"
security import "$apple_cert_path" \
-k "$APPLE_KEYCHAIN_PATH" \
-P "$APPLE_CERTIFICATE_PASSWORD" \
-T /usr/bin/codesign \
-T /usr/bin/security
security set-key-partition-list -S apple-tool:,apple: -s -k "$APPLE_KEYCHAIN_PASSWORD" "$APPLE_KEYCHAIN_PATH"

existing_keychains=()
while IFS= read -r keychain; do
existing_keychains+=("$keychain")
done < <(security list-keychains -d user | sed 's/^[[:space:]]*//; s/"//g')
security list-keychains -d user -s "$APPLE_KEYCHAIN_PATH" "${existing_keychains[@]}"
security default-keychain -d user -s "$APPLE_KEYCHAIN_PATH"

echo "APPLE_KEYCHAIN_PASSWORD=$APPLE_KEYCHAIN_PASSWORD" >>"$GITHUB_ENV"
echo "APPLE_KEYCHAIN_PATH=$APPLE_KEYCHAIN_PATH" >>"$GITHUB_ENV"

- name: Notarize macOS bundle
if: matrix.release_platform == 'macos'
env:
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
APPLE_API_KEY_PATH: ${{ env.APPLE_API_KEY_PATH }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
run: bash scripts/desktop/notarize_macos.sh

- name: Collect release assets
env:
RELEASE_VERSION: ${{ github.ref_name }}
Expand Down
2 changes: 2 additions & 0 deletions docs/plans/2026-04-03-macos-signing-release-plan.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
# macOS Signing Release Implementation Plan

> **2026-07-06 状态:已废弃。** CI release workflow 已移除 Apple certificate import、keychain setup、codesign/notarization 调用以及对应的 Apple secret 依赖。原 `scripts/test/release_apple_signing_test.sh` 已替换为 `scripts/test/release_no_apple_signing_test.sh`,用于防止 Apple 签名/公证逻辑重新出现在 GitHub Actions workflow 中。

> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.

**Goal:** Make the release workflow import the Apple signing certificate into the macOS runner keychain so GitHub Actions can codesign and notarize release builds, then run the repository release loop.
Expand Down
40 changes: 0 additions & 40 deletions scripts/test/release_apple_signing_test.sh

This file was deleted.

36 changes: 36 additions & 0 deletions scripts/test/release_no_apple_signing_test.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#!/usr/bin/env bash
set -euo pipefail

ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
WORKFLOW_DIR="$ROOT_DIR/.github/workflows"

fail() {
echo "FAIL: $*" >&2
exit 1
}

assert_workflows_not_contains() {
local pattern="$1"
if grep -R -Fq "$pattern" "$WORKFLOW_DIR"; then
fail "expected GitHub Actions workflows to not contain: $pattern"
fi
}

assert_workflows_not_contains "name: Prepare notarization key"
assert_workflows_not_contains "name: Import Apple signing certificate"
assert_workflows_not_contains "name: Notarize macOS bundle"
assert_workflows_not_contains "APPLE_API_KEY"
assert_workflows_not_contains "APPLE_API_KEY_ID"
assert_workflows_not_contains "APPLE_API_ISSUER"
assert_workflows_not_contains "APPLE_CERTIFICATE_P12"
assert_workflows_not_contains "APPLE_CERTIFICATE_PASSWORD"
assert_workflows_not_contains "APPLE_SIGNING_IDENTITY"
assert_workflows_not_contains "APPLE_KEYCHAIN"
assert_workflows_not_contains "scripts/desktop/notarize_macos.sh"
assert_workflows_not_contains "scripts/test/notarize_macos_test.sh"
assert_workflows_not_contains "security create-keychain"
assert_workflows_not_contains "security import"
assert_workflows_not_contains "security unlock-keychain"
assert_workflows_not_contains "security set-key-partition-list"

echo "PASS: release_no_apple_signing_test"
Loading