Skip to content

fix(ci): sign macOS artifacts only on release tags#1348

Open
TimeToBuildBob wants to merge 1 commit into
ActivityWatch:masterfrom
TimeToBuildBob:fix/master-ci-macos-signing
Open

fix(ci): sign macOS artifacts only on release tags#1348
TimeToBuildBob wants to merge 1 commit into
ActivityWatch:masterfrom
TimeToBuildBob:fix/master-ci-macos-signing

Conversation

@TimeToBuildBob

Copy link
Copy Markdown
Contributor

Root cause

Master push run https://github.com/ActivityWatch/activitywatch/actions/runs/28720318129 fails only in the macOS Package dmg steps. The P12 imports, but security find-identity -v -p codesigning reports 0 valid identities found, so the repository signing certificate/chain is currently not usable on the runner.

Branch pushes are CI signals, not release publications. They should still build DMGs, but stale signing secrets should not make every master push red. Tagged v* releases are the place where signing/notarization must remain mandatory.

Change

  • Gate macOS signing/notarization on GITHUB_REF == refs/tags/v* in both Qt and Tauri DMG packaging steps.
  • Keep unsigned DMG creation for branch/PR builds.
  • On release tags, fail fast if signing credentials are missing or if the imported certificate does not produce a valid codesigning identity.

Verification

  • bash -n on the changed DMG packaging shell block.
  • Parsed .github/workflows/release.yml with PyYAML.

This should clear master CI for ordinary pushes while still surfacing the real signing-secret problem before publishing a tagged release.

@greptile-apps

greptile-apps Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR fixes intermittent master CI failures caused by a stale or broken macOS code-signing certificate by gating the signing and notarization steps on release tag pushes (refs/tags/v*) rather than on the presence of APPLE_EMAIL.

  • Branch and PR builds now produce unsigned DMGs unconditionally, so a bad certificate never blocks ordinary pushes.
  • Release tag builds validate all five signing secrets up-front and fail fast if the imported certificate yields no valid codesigning identity, ensuring signing problems are surfaced before a release is published.
  • The same two-phase guard (secret validation → identity check) is applied consistently to both the Qt and Tauri Package dmg steps.

Confidence Score: 5/5

Safe to merge — the change only affects macOS DMG signing logic and does not touch build, test, or release upload steps.

The bash glob pattern [[ "${GITHUB_REF:-}" == refs/tags/v* ]] is used correctly inside [[ ]] with an unquoted RHS so the wildcard matches as intended. Both jobs declare shell: bash, making ${!var:-} indirect expansion safe. The pre-existing APPLE_PERSONALID: "" env initializer still works because the script only exports a populated value inside the signing block. The logic is applied identically to both the Qt and Tauri packaging steps, and the fail-fast checks on release tags are a meaningful improvement over the old credential-presence test.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/release.yml Adds a SIGN_MACOS gate using [[ GITHUB_REF == refs/tags/v* ]] in both the Qt and Tauri Package dmg steps; branch/PR builds produce unsigned DMGs while release tag builds validate all signing secrets and fail fast if the imported certificate yields no valid codesigning identity.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Package dmg step triggered] --> B{runner.os == macOS?}
    B -- No --> Z[Skip step]
    B -- Yes --> C{GITHUB_REF == refs/tags/v*?}
    C -- No: branch / PR push --> D[SIGN_MACOS=false]
    C -- Yes: tag push --> E[SIGN_MACOS=true]

    D --> G[make dist/ActivityWatch.dmg\nunsigned]
    G --> H[mv DMG to versioned filename]

    E --> F[Validate all 5 signing secrets\nfail-fast if any missing]
    F --> I[import-macos-p12.sh]
    I --> J{security find-identity\nreturns a valid identity?}
    J -- No --> K[ERROR: exit 1]
    J -- Yes --> L[export APPLE_PERSONALID]
    L --> M[make dist/ActivityWatch.dmg]
    M --> N[codesign DMG]
    N --> O[xcnotary precheck app + dmg]
    O --> P[make dist/notarize]
    P --> H
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[Package dmg step triggered] --> B{runner.os == macOS?}
    B -- No --> Z[Skip step]
    B -- Yes --> C{GITHUB_REF == refs/tags/v*?}
    C -- No: branch / PR push --> D[SIGN_MACOS=false]
    C -- Yes: tag push --> E[SIGN_MACOS=true]

    D --> G[make dist/ActivityWatch.dmg\nunsigned]
    G --> H[mv DMG to versioned filename]

    E --> F[Validate all 5 signing secrets\nfail-fast if any missing]
    F --> I[import-macos-p12.sh]
    I --> J{security find-identity\nreturns a valid identity?}
    J -- No --> K[ERROR: exit 1]
    J -- Yes --> L[export APPLE_PERSONALID]
    L --> M[make dist/ActivityWatch.dmg]
    M --> N[codesign DMG]
    N --> O[xcnotary precheck app + dmg]
    O --> P[make dist/notarize]
    P --> H
Loading

Reviews (1): Last reviewed commit: "fix(ci): sign macOS artifacts only on re..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant