Conversation
Use GoReleaser v2's native notarize.macos support (powered by embedded quill) to sign and notarize darwin binaries on the existing Ubuntu runner. The enabled gate requires all five MACOS_* secrets to be present, cleanly skipping for forks and local builds. Explicit ids: [basecamp] prevents accidental scope expansion if new build targets are added.
Pass MACOS_SIGN_P12, MACOS_SIGN_PASSWORD, MACOS_NOTARY_KEY, MACOS_NOTARY_KEY_ID, and MACOS_NOTARY_ISSUER_ID to GoReleaser. A preflight step on the canonical repo fails fast if any secret is missing, preventing silent publication of unsigned macOS binaries. Forks skip the check via github.repository guard. Bump release job timeout from 15m to 45m for notarization wait headroom.
The release workflow produces checksums.txt.bundle (cosign v2 bundle), not the separate .sig/.pem files the installer was trying to download. Switch to --bundle flag to match actual release assets.
There was a problem hiding this comment.
Pull request overview
This PR adds macOS code signing and notarization to the release pipeline using GoReleaser v2's built-in notarize.macos block (powered by Quill, which runs cross-platform on Ubuntu). It also fixes a pre-existing bug where the install script's cosign verification used the old separate .sig/.pem format instead of the .bundle format already produced by GoReleaser.
Changes:
- Add GoReleaser
notarize.macosblock with conditional enablement viaisEnvSettemplate, using five newMACOS_*environment variables for the signing certificate and App Store Connect API key. - Add a preflight step in the release workflow to verify macOS secrets are present before GoReleaser runs (fail-closed on the canonical repo, gracefully skipped on forks), pass the five secrets into GoReleaser, and extend the job timeout from 15→45 minutes to accommodate notarization wait time.
- Fix
scripts/install.shcosign verification to use--bundle checksums.txt.bundleinstead of the previous--certificate/--signaturepair, matching the actual release asset format.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
.goreleaser.yaml |
Adds notarize.macos block with conditional enablement and credential templates |
.github/workflows/release.yml |
Adds preflight secrets check, wires MACOS_* secrets into GoReleaser, increases job timeout |
scripts/install.sh |
Fixes cosign verify-blob to use --bundle format matching actual release assets |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
GitHub Actions sets missing secrets as empty strings, so isEnvSet returns true even on forks without secrets configured. Switch to Go template truthiness (empty string is falsy) so the notarize block is skipped when secrets are absent.
Add `environment: release` to the release job so signing credentials are only accessible to that specific job context. Isolates the Developer ID cert and App Store Connect API key from other workflows.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
notarize.macosblock to sign and notarize darwin binaries using the existing Ubuntu runner (no macOS runner needed). Uses the org's existing Developer ID Application certificate (Basecamp, LLC / 2WNYUYRS7G) with a dedicated App Store Connect API key for this repo.MACOS_*secrets into the release workflow with a fail-closed preflight check on the canonical repo (forks skip gracefully).releaseenvironment so they're only accessible to the release job..bundleformat, matching actual release assets.Setup (one-time, before first signed release)
1. Create the
releaseenvironmentSettings → Environments → New environment → name it
release. Restrict tomainbranch under deployment branch rules.2. Add environment secrets
Add the five
MACOS_*secrets to thereleaseenvironment. SeeRELEASING.mdfor details.Test plan
goreleaser checkpasses (verified locally)goreleaser release --snapshot --cleanwith env vars exported — darwin binaries built, notarize block correctly skipped when secrets emptycodesign -dv --verbose=4 basecamp— should show Developer ID Application identitycosign verify-blob --bundle checksums.txt.bundle ...— Verified OK against latest release