fix(desktop): notarize the .app zip

This commit is contained in:
zhayujie
2026-07-06 10:19:54 +08:00
parent a871c0437d
commit a951494489
4 changed files with 18 additions and 151 deletions

View File

@@ -108,6 +108,10 @@ jobs:
# is the correct state for unsigned builds.
MAC_CSC_LINK: ${{ secrets.MAC_CSC_LINK }}
MAC_CSC_KEY_PASSWORD: ${{ secrets.MAC_CSC_KEY_PASSWORD }}
# electron-builder's built-in notarization reads these.
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
run: |
@@ -128,57 +132,15 @@ jobs:
# Never let electron-builder publish: our publish target is a generic
# (read-only) feed served from R2/D1, which it can't upload to. We mirror
# installers to R2 and register them in D1 ourselves (publish-r2 job).
# `--publish never` still emits the latest*.yml files we parse for sha512.
# Use the dynamic config (electron-builder.js) so mac.binaries is
# populated with the embedded backend's Mach-O files for signing.
# electron-builder signs but does NOT notarize (notarize:false); the
# dedicated step below notarizes + staples with retry.
# `--publish never` still emits the latest*.yml files.
# Use the dynamic config (electron-builder.js): it populates
# mac.binaries (backend Mach-O files to sign) and enables built-in
# notarization, which zips the .app and submits that (the path Apple
# actually accepts for this large bundle) then staples + packs the dmg.
npx electron-builder ${{ matrix.eb_flags }} --config electron-builder.js --publish never
# Whether Mac signing secrets are present. `secrets` can't be used in a
# step `if:` directly, and step-level `env` isn't visible to that step's
# own `if:`, so surface it as an output for the notarize step to gate on.
- name: Check mac signing secrets
id: macsign
if: matrix.platform == 'mac'
shell: bash
env:
MAC_CSC_LINK: ${{ secrets.MAC_CSC_LINK }}
run: |
if [ -n "$MAC_CSC_LINK" ]; then
echo "enabled=true" >> "$GITHUB_OUTPUT"
else
echo "enabled=false" >> "$GITHUB_OUTPUT"
echo "::notice::MAC_CSC_LINK not set — skipping notarization (unsigned build)."
fi
# Notarize + staple the dmg: submit ONCE, then poll that submission id
# until Accepted/Invalid (see notarize-dmg.sh — never resubmits).
# Skipped for Windows and for unsigned builds (no cert).
- name: Notarize macOS dmg
if: matrix.platform == 'mac' && steps.macsign.outputs.enabled == 'true'
working-directory: desktop
shell: bash
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
shopt -s nullglob
dmgs=(release/*.dmg)
if [ ${#dmgs[@]} -eq 0 ]; then
echo "::error::no dmg found to notarize"
exit 1
fi
for dmg in "${dmgs[@]}"; do
bash build/notarize-dmg.sh "$dmg"
done
# Always upload artifacts, even when notarization timed out. The
# notarization ticket is keyed to the dmg's hash on Apple's servers: if
# the submission is eventually Accepted, THIS exact dmg becomes valid
# as-is (download it, `xcrun stapler staple`, publish manually) — no
# rebuild needed. Rebuilding would change the hash and waste the ticket.
# Upload artifacts regardless of outcome, so a failed run still surfaces
# the built installers (and, on success, the notarized+stapled dmg).
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v4