chore: enable macOS notarization

[benoitf]

I took the snippet of the signing part from
https://github.com/goreleaser/goreleaser/blob/main/.goreleaser.yaml#L57-L66

and the env variable from
https://goreleaser.com/customization/sign/notarize/#github-actions

related to #117

[coderabbitai]

Warning

Rate limit exceeded

@benoitf has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 21 minutes and 34 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 21 minutes and 34 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5fc37fbf-a11f-440d-bf23-a253dbe5d5c7

📥 Commits

Reviewing files that changed from the base of the PR and between 039b27e and e5a3157.

📒 Files selected for processing (3)

• .github/workflows/next-build.yml
• .github/workflows/release.yml
• .goreleaser.yaml

📝 Walkthrough

Walkthrough

Adds macOS signing and notarization: workflow steps export macOS signing/notarization secrets into the environment and GoReleaser is configured with a conditional notarize block that uses those variables during macOS release runs.

Changes

Cohort / File(s)	Summary
Next-build workflow .github/workflows/next-build.yml	Inserted an additional Run GoReleaser step (invokes goreleaser/goreleaser-action) that sets macOS signing/notarization environment variables (MACOS_SIGN_P12, MACOS_SIGN_PASSWORD, MACOS_NOTARY_KEY, MACOS_NOTARY_KEY_ID, MACOS_NOTARY_ISSUER_ID) before the existing GoReleaser step.
Release workflow .github/workflows/release.yml	Added a step that writes macOS signing/notarization secrets into $GITHUB_ENV so subsequent release steps (including GoReleaser) receive the credentials as env vars.
GoReleaser config .goreleaser.yaml	Added a notarize block for macOS that is conditionally enabled when MACOS_SIGN_P12 is present; wires signing (MACOS_SIGN_P12, MACOS_SIGN_PASSWORD) and notarization credentials (MACOS_NOTARY_ISSUER_ID, MACOS_NOTARY_KEY_ID, MACOS_NOTARY_KEY) from environment variables.

Sequence Diagram(s)

sequenceDiagram
  participant GH as GitHub Actions
  participant Secrets as Repository Secrets
  participant GR as GoReleaser Action
  participant Apple as Apple Notary Service

  GH->>Secrets: read macOS secrets
  Secrets-->>GH: MACOS_SIGN_P12, MACOS_SIGN_PASSWORD, MACOS_NOTARY_KEY, MACOS_NOTARY_KEY_ID, MACOS_NOTARY_ISSUER_ID
  GH->>GR: run goreleaser with env vars
  GR->>Apple: upload signed macOS artifact for notarization
  Apple-->>GR: notarization result / ticket
  GR->>GH: publish notarized macOS artifact (GitHub Release)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: publish pre-releases after each commit #147 — Extends the same next-build workflow; adds an additional GoReleaser run for macOS signing/notarization (directly related).
• ci(release): add goreleaser config and GitHub Actions workflow #113 — Introduced the original GoReleaser workflow/configuration that this change extends with macOS notarization environment wiring.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: enable macOS notarization' accurately summarizes the main change—adding macOS notarization configuration to the build workflow.
Description check	✅ Passed	The description is related to the changeset, providing context about the macOS notarization implementation with references to source documentation and related issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/next-build.yml:
- Around line 81-87: The workflow currently writes multiline secrets
(MACOS_SIGN_P12, MACOS_NOTARY_KEY, MACOS_SIGN_PASSWORD, MACOS_NOTARY_KEY_ID,
MACOS_NOTARY_ISSUER_ID) into $GITHUB_ENV using echo, which breaks on multiline
values; instead remove those echo lines and pass these secrets directly into the
GoReleaser job/step via an env block (e.g., add env: MACOS_SIGN_P12: ${{
secrets.MACOS_SIGN_P12 }}, MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }},
etc.) so GoReleaser can read {{.Env.MACOS_SIGN_P12}} and the other variables
without newline parsing errors. Ensure the GoReleaser step references those
environment variables rather than relying on $GITHUB_ENV.

In @.github/workflows/release.yml:
- Around line 42-48: The current "setup macOS notarization variables" step
writes secrets into $GITHUB_ENV via echo which breaks on multiline secrets like
MACOS_NOTARY_KEY; remove that echo-based step and instead pass MACOS_SIGN_P12,
MACOS_SIGN_PASSWORD, MACOS_NOTARY_KEY, MACOS_NOTARY_KEY_ID, and
MACOS_NOTARY_ISSUER_ID directly into the GoReleaser action's env block (the step
that uses the GoReleaser action), e.g. add an env: mapping under the goreleaser
step with values set to ${{ secrets.MACOS_SIGN_P12 }}, ${{
secrets.MACOS_SIGN_PASSWORD }}, ${{ secrets.MACOS_NOTARY_KEY }}, ${{
secrets.MACOS_NOTARY_KEY_ID }}, ${{ secrets.MACOS_NOTARY_ISSUER_ID }} so
multiline content is preserved and safe for notarization.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c1ac669a-fefa-430c-8c6e-8fed3f0ff2fa

📥 Commits

Reviewing files that changed from the base of the PR and between a0e1d55 and a6d1a7e.

📒 Files selected for processing (3)

• .github/workflows/next-build.yml
• .github/workflows/release.yml
• .goreleaser.yaml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/next-build.yml (1)

81-100: ⚠️ Potential issue | 🔴 Critical

YAML syntax error and duplicate GoReleaser step will break the workflow.

Two issues here:

1. Indentation mismatch: Lines 81-92 use 7 spaces before the -, while the rest of the file uses 6 spaces. This causes the YAML parsing error flagged by static analysis.

2. Duplicate release step: The workflow now has two "Run GoReleaser" steps (lines 81-92 and 94-100). Running goreleaser release twice will fail since you cannot release the same version twice.

The intent appears to be adding MACOS_* secrets to the existing GoReleaser step. Consolidate into a single step with correct indentation:

Proposed fix

-       - name: Run GoReleaser
-         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
-         with:
-           version: "~> v2.14"
-           args: release --clean
-         env:
-           GITHUB_TOKEN: ${{ secrets.KORTEX_BOT_TOKEN }}
-           MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
-           MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
-           MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
-           MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
-           MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
-
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
         with:
           version: "~> v2.14"
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.KORTEX_BOT_TOKEN }}
+          MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+          MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
+          MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
+          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/next-build.yml around lines 81 - 100, The workflow has a
duplicated "Run GoReleaser" step and inconsistent indentation causing YAML parse
errors; remove the duplicate step and merge the MACOS_* env variables into the
original "Run GoReleaser" step (the step whose name is "Run GoReleaser") so only
one goreleaser/goreleaser-action block remains, and fix the leading spaces to
match the file's existing indentation style (use the same 6-space indentation
used elsewhere) so the single step contains version, args, and all env entries
(GITHUB_TOKEN plus MACOS_SIGN_P12, MACOS_SIGN_PASSWORD, MACOS_NOTARY_KEY,
MACOS_NOTARY_KEY_ID, MACOS_NOTARY_ISSUER_ID).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/next-build.yml:
- Around line 81-100: The workflow has a duplicated "Run GoReleaser" step and
inconsistent indentation causing YAML parse errors; remove the duplicate step
and merge the MACOS_* env variables into the original "Run GoReleaser" step (the
step whose name is "Run GoReleaser") so only one goreleaser/goreleaser-action
block remains, and fix the leading spaces to match the file's existing
indentation style (use the same 6-space indentation used elsewhere) so the
single step contains version, args, and all env entries (GITHUB_TOKEN plus
MACOS_SIGN_P12, MACOS_SIGN_PASSWORD, MACOS_NOTARY_KEY, MACOS_NOTARY_KEY_ID,
MACOS_NOTARY_ISSUER_ID).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 938cd075-b4df-449e-8301-06ba21101c97

📥 Commits

Reviewing files that changed from the base of the PR and between a6d1a7e and 039b27e.

📒 Files selected for processing (1)

• .github/workflows/next-build.yml