Skip to content

Fix notarize enabled template to return boolean#188

Merged
jeremy merged 1 commit intomainfrom
apple-notarize
Mar 4, 2026
Merged

Fix notarize enabled template to return boolean#188
jeremy merged 1 commit intomainfrom
apple-notarize

Conversation

@jeremy
Copy link
Member

@jeremy jeremy commented Mar 4, 2026

Summary

The enabled field in .goreleaser.yaml used {{ and .Env.X .Env.Y }} which returns the last truthy value (the raw base64 string), not "true". GoReleaser checks for the string "true" specifically, so notarization was silently skipped in v0.2.2 despite all secrets being present.

Switch to {{ and (ne .Env.X "") (ne .Env.Y "") }} which returns the boolean true/false, rendering as the string GoReleaser expects.

Verified locally:

  • Non-empty env vars → notarize block activates (attempts signing)
  • Empty env vars → notarize block skipped (reason=disabled)

Follow-up to #185.

Copilot AI review requested due to automatic review settings March 4, 2026 05:53
@github-actions github-actions bot added ci CI/CD workflows docs bug Something isn't working labels Mar 4, 2026
@jeremy
Fix notarize enabled template to return boolean string
5feb9f2 
Go template `and` returns the last truthy value (the raw env var
content), not the string "true". GoReleaser checks for "true"
specifically. Switch to `ne .Env.X ""` comparisons which return
the boolean true/false that renders as the string "true"/"false".
@github-actions github-actions bot removed ci CI/CD workflows docs labels Mar 4, 2026
Copilot AI reviewed Mar 4, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a silent notarization bug in v0.2.2 where macOS code signing was being skipped despite all secrets being present. The root cause was that {{ and .Env.X .Env.Y }} in Go templates returns the last truthy value (the raw base64 string), not the boolean true, while GoReleaser's enabled field expects exactly the string "true". The fix switches to {{ and (ne .Env.X "") (ne .Env.Y "") }}, which correctly returns true/false. The PR also wires up the necessary workflow infrastructure (environment, timeout, secret verification) and aligns the install script's cosign verification to use the .bundle format that was introduced in PR #185.

Changes:

  • Fix GoReleaser enabled template in .goreleaser.yaml to return a proper boolean using ne .Env.VAR "" comparisons instead of raw env var truthiness
  • Add the release environment, bump timeout to 45 minutes, and add a pre-flight macOS secrets verification step to the release workflow
  • Update scripts/install.sh cosign verification to use the .bundle format (dropping separate .sig/.pem files)

Reviewed changes

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.

File Description
.goreleaser.yaml Adds notarize.macos block with corrected boolean enabled template and all required signing/notarization fields
.github/workflows/release.yml Adds environment: release, increases timeout to 45min, adds pre-flight macOS secrets check, and passes all 5 MACOS_* secrets to GoReleaser
scripts/install.sh Updates cosign verification to download and use checksums.txt.bundle instead of separate .sig/.pem files
RELEASING.md Documents the new environment secrets table and macOS signing step in the release pipeline description

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jeremy jeremy merged commit ebe5510 into main Mar 4, 2026
21 checks passed
@jeremy jeremy deleted the apple-notarize branch March 4, 2026 05:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeremy