Notarize: Check Status #34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ============================================================================= | |
| # notarize-check.yml - Check notarization status and staple if accepted | |
| # | |
| # Run this after submitting via notarize-submit.yml. | |
| # Does a SINGLE status check (no polling loop) - takes seconds, not minutes. | |
| # Re-run it as often as you like until Apple finishes processing. | |
| # | |
| # Inputs: | |
| # submission_id - Apple notarization UUID (from notarize-submit.yml log) | |
| # build_run_id - GitHub Actions run ID that produced the Row-Bot-macOS artifact | |
| # | |
| # Outcomes: | |
| # In Progress - prints status, exits successfully. Run again later. | |
| # Accepted - staples DMG, uploads Row-Bot-macOS-stapled artifact. | |
| # Invalid - dumps Apple's rejection log, exits with error. | |
| # ============================================================================= | |
| name: "Notarize: Check Status" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| submission_id: | |
| description: 'Apple notarization submission UUID' | |
| required: true | |
| build_run_id: | |
| description: 'GitHub Actions run ID that produced the DMG artifact' | |
| required: true | |
| jobs: | |
| check: | |
| runs-on: macos-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Download signed DMG from build run | |
| uses: actions/download-artifact@v8 | |
| with: | |
| name: Row-Bot-macOS | |
| path: dist | |
| run-id: ${{ inputs.build_run_id }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Check notarization status | |
| id: status | |
| env: | |
| APPLE_ID: ${{ secrets.APPLE_ID }} | |
| APPLE_APP_PASSWORD: ${{ secrets.APPLE_APP_PASSWORD }} | |
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
| SUBMISSION_ID: ${{ inputs.submission_id }} | |
| run: | | |
| set -euo pipefail | |
| DMG_PATH="$(ls dist/Row-Bot-*-macOS-*.dmg | head -n1)" | |
| echo "DMG: $DMG_PATH" | |
| echo "Submission ID: $SUBMISSION_ID" | |
| echo "" | |
| info_json="$RUNNER_TEMP/notary_info.json" | |
| if ! xcrun notarytool info "$SUBMISSION_ID" \ | |
| --apple-id "$APPLE_ID" \ | |
| --password "$APPLE_APP_PASSWORD" \ | |
| --team-id "$APPLE_TEAM_ID" \ | |
| --output-format json > "$info_json" 2>&1; then | |
| echo "::error::Failed to query Apple notarization API:" | |
| cat "$info_json" || true | |
| exit 1 | |
| fi | |
| status="$(python3 -c 'import json,sys; print(json.load(open(sys.argv[1])).get("status","Unknown"))' "$info_json")" | |
| echo "Status: $status" | |
| echo "status=$status" >> "$GITHUB_OUTPUT" | |
| echo "" | |
| case "$status" in | |
| "In Progress") | |
| echo "------------------------------------------------------------" | |
| echo " STILL PROCESSING" | |
| echo " Apple is still reviewing the submission." | |
| echo " Re-run this workflow to check again." | |
| echo "------------------------------------------------------------" | |
| ;; | |
| Accepted) | |
| echo "Notarization ACCEPTED! Stapling ticket into DMG..." | |
| # Apple CloudKit can take a few minutes to propagate the ticket | |
| # after notarization is accepted - retry with backoff. | |
| STAPLE_OK=false | |
| for attempt in 1 2 3 4 5; do | |
| echo "Staple attempt $attempt/5..." | |
| if xcrun stapler staple "$DMG_PATH" 2>&1; then | |
| STAPLE_OK=true | |
| break | |
| fi | |
| if [ "$attempt" -lt 5 ]; then | |
| wait_secs=$((attempt * 30)) | |
| echo "Staple not ready yet - waiting ${wait_secs}s before retry..." | |
| sleep "$wait_secs" | |
| fi | |
| done | |
| if [ "$STAPLE_OK" != "true" ]; then | |
| echo "::error::Failed to staple after 5 attempts. Apple ticket not yet propagated." | |
| echo "Re-run this workflow in a few minutes." | |
| exit 1 | |
| fi | |
| echo "Verifying staple..." | |
| xcrun stapler validate "$DMG_PATH" | |
| echo "" | |
| echo "------------------------------------------------------------" | |
| echo " STAPLED DMG READY" | |
| echo " Download the 'Row-Bot-macOS-stapled' artifact from this run," | |
| echo " verify locally, then attach to the GitHub Release." | |
| echo "------------------------------------------------------------" | |
| ;; | |
| Invalid) | |
| echo "::error::Notarization REJECTED by Apple." | |
| echo "Fetching rejection details..." | |
| xcrun notarytool log "$SUBMISSION_ID" \ | |
| --apple-id "$APPLE_ID" \ | |
| --password "$APPLE_APP_PASSWORD" \ | |
| --team-id "$APPLE_TEAM_ID" || true | |
| exit 1 | |
| ;; | |
| *) | |
| echo "::warning::Unexpected status: ${status}" | |
| echo "Full response:" | |
| cat "$info_json" | |
| ;; | |
| esac | |
| - name: Upload stapled DMG | |
| if: steps.status.outputs.status == 'Accepted' | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: Row-Bot-macOS-stapled | |
| path: dist/Row-Bot-*-macOS-*.dmg | |
| retention-days: 90 |