ci(release): 补齐 macOS Tauri 产物发布

[Cooper-X-Oak]

摘要

Fixes #无（不再新增 upstream issue）。

关联 fork 验证：Cooper-X-Oak#12。

本 PR 是从 fork/dev 已验证批次拆出的 release workflow 维护项：让 Tauri release workflow 重新纳入 macOS arm64 构建产物，并在配置 Apple secrets 时支持签名 / 公证；未配置 secrets 时保留 ad-hoc fallback warning。

修复 / 新增 / 改进

• release matrix 增加 macos-latest / aarch64-apple-darwin。
• 新增 Apple signing secrets 可用性检查、证书导入和 notarization 环境注入。
• macOS 使用 scripts/build-mac.sh 生成 dmg，并上传 artifact / GitHub Release 资产。
• 保留 Windows / Linux release 产物上传逻辑，补充 artifact debug listing。

兼容

• 不包含：业务代码改动、普通 CI 流程改动、发布 tag 策略变更。
• 对现有用户 / 本地环境 / 构建流程的影响：只影响 tag / workflow_dispatch 的 release workflow；缺少 Apple secrets 时不会硬失败，会打印 warning 并使用 ad-hoc 签名路径。
• 路径已从 fork/dev 的 openless -all 适配回 upstream 当前目录 openless-all。

测试计划

• 命令：git diff --check -- .github/workflows/release-tauri.yml
• 结果：通过。
• 命令：PyYAML safe_load 解析 .github/workflows/release-tauri.yml
• 结果：通过。
• 命令：检查 workflow 中没有残留 openless -all 路径。
• 结果：未命中。
• 证据路径：真实 release workflow 需要 tag 或手动 dispatch 验证。

Summary by Sourcery

Extend the Tauri release workflow to build and publish macOS arm64 artifacts with optional Apple signing and notarization, alongside existing Windows and Linux releases.

Build:

• Update release-tauri workflow to add a macOS arm64 matrix entry and integrate macOS DMG artifacts into GitHub Release uploads.
• Introduce Apple signing and notarization environment configuration, including conditional certificate import and ad-hoc fallback when secrets are missing.
• Add a unified macOS build step using scripts/build-mac.sh and enhance artifact collection with debug listing and dedicated macOS artifact uploads.

CI:

• Refine release-tauri workflow triggers and documentation comments to clarify tag patterns, platform outputs, and signing behavior.

[sourcery-ai]

Reviewer's Guide

Extends the Tauri release workflow to build, sign/notarize, and publish macOS arm64 DMG artifacts alongside existing Windows and Linux outputs, with Apple signing handled via optional secrets and ad-hoc fallbacks, plus unified artifact upload and debug listing.

Sequence diagram for tag-based Tauri release with macOS DMG publication

sequenceDiagram
  actor Dev as Developer
  participant GH as GitHub
  participant WF as Release_workflow
  participant MAC as macos_latest_runner
  participant APPLE as Apple_notary_service
  participant REL as GitHub_Release

  Dev->>GH: Push tag vX.Y.Z-tauri
  GH->>WF: Trigger_release_tauri_workflow

  WF->>MAC: Start_matrix_job(platform=macos_latest)
  MAC->>MAC: Check_Apple_signing_availability
  MAC->>MAC: Import_Apple_Developer_ID_certificate
  MAC->>MAC: Configure_Apple_notarization_env

  MAC->>APPLE: Submit_app_for_notarization
  APPLE-->>MAC: Notarization_result

  MAC->>MAC: Run_scripts_build_mac_sh
  MAC->>GH: Upload_DMG_artifact_to_GitHub_Artifacts

  WF->>REL: Create_or_update_release_with_all_artifacts
  REL-->>Dev: Published_release_with_macOS_DMG_Windows_and_Linux_bundles

Loading

Flow diagram for macOS arm64 build, signing, and artifact publication

flowchart TD
  S0([Start_matrix_job])
  S1{platform_is_macos_latest?}
  S2{ref_is_v*_tauri_tag?}
  S3[Check_Apple_signing_availability]
  S4[Import_Apple_Developer_ID_certificate]
  S5{Apple_certificate_secrets_present?}
  S6[Configure_Apple_notarization_env]
  S7[Run_scripts_build_mac_sh]
  S8[List_artifacts_debug]
  S9[Upload_macOS_DMG_artifacts]
  S10{tag_push_for_release?}
  S11[Create_or_update_GitHub_Release]
  E([End])

  S0 --> S1
  S1 -->|no| E
  S1 -->|yes| S2

  S2 -->|yes| S3
  S2 -->|no| S4

  S3 --> S4

  S4 --> S5
  S5 -->|no| S6
  S5 -->|yes| S6

  S6 --> S7
  S7 --> S8
  S8 --> S9
  S9 --> S10

  S10 -->|yes| S11
  S10 -->|no| E
  S11 --> E

Loading

File-Level Changes

Change	Details	Files
Add macOS arm64 to the Tauri release build matrix and integrate a dedicated macOS build path.	Extend the workflow matrix with a macOS runner targeting aarch64-apple-darwin. Introduce a macOS-specific build step that runs scripts/build-mac.sh with CI-focused environment settings. Document in workflow header that macOS DMG is now built and uploaded by CI as part of the release outputs.	.github/workflows/release-tauri.yml
Implement Apple signing and notarization handling with optional secrets and ad-hoc fallback.	Add a check step to detect presence of required Apple secrets and emit a GitHub Actions warning when missing, indicating ad-hoc signing will be used. Import a base64-encoded Apple Developer certificate into a temporary keychain, discover a usable signing identity, and export it into GITHUB_ENV for downstream use. Configure Apple notarization-related environment variables from secrets when available, without failing if they are absent.	.github/workflows/release-tauri.yml
Align artifact collection and GitHub Release upload to include macOS DMG alongside existing Windows and Linux bundles.	Add a debug listing step to dump bundle directory contents for all platforms. Upload macOS DMG artifacts via actions/upload-artifact with strict if-no-files-found behavior. Update the GitHub Release step to attach the macOS DMG files in addition to existing Windows and Linux installers, and refresh workflow comments to describe the new behavior.	.github/workflows/release-tauri.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}