Notarize macOS desktop builds in release workflow

[eliothedeman]

Blocked on Apple Developer Program enrollment. Once the company Apple Developer account is set up, wire notarization into .github/workflows/release-desktop.yml.

Prerequisites (account setup)

• Create a dedicated Apple ID under a company email (e.g. apple@empathic.dev), not a personal one
• Get a D-U-N-S number for the company (free via dnb.com/duns-number)
• Enroll in Apple Developer Program as Organization ($99/yr) — not Individual, so Gatekeeper shows the company name
• Enable 2FA on the enrollment Apple ID

Signing + notarization credentials

• Create a Developer ID Application certificate, export as .p12 with a password
• Create an App Store Connect API key (Users and Access → Integrations → Keys), role: Developer — download the .p8 (one-time)
• Add GitHub Actions secrets:
  • APPLE_CERTIFICATE (base64 of the .p12)
  • APPLE_CERTIFICATE_PASSWORD
  • APPLE_SIGNING_IDENTITY (e.g. Developer ID Application: Empathic, Inc. (TEAMID))
  • APPLE_API_ISSUER (issuer UUID)
  • APPLE_API_KEY (key ID)
  • APPLE_API_KEY_PATH (contents of the .p8)

Workflow change

Add these to the env: block on the tauri-action step in .github/workflows/release-desktop.yml:

```yaml
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
APPLE_API_KEY_PATH: ${{ secrets.APPLE_API_KEY_PATH }}
```

tauri-action picks these up automatically — signing and notarization are skipped when secrets are absent, so the workflow stays green in the meantime.

Follow-ups to consider

• Windows code signing (separate cert, separate issue)
• Decide whether to also sign dev builds or only release artifacts

[od0]

Recreated Apple business account and submitted for review