build(release): add macOS notarization and Windows code signing#243
Merged
Conversation
Brings the release pipeline to parity with backend.ai-go's packaging workflow so published artifacts are trusted by Gatekeeper and SmartScreen out of the box. macOS: - After the existing codesign step, submit a ditto'd zip of the binary to `xcrun notarytool submit --wait` using the App Store Connect API key (AC_API_KEY_ID / AC_API_ISSUER_ID / AC_API_PRIVATE_KEY_P8 secrets already configured in the `packaging` environment). - On Invalid/Rejected, fetch `notarytool log` for diagnostics before failing. - Verify with `spctl --assess --type execute`; treat ticket-propagation lag as a warning, not a hard failure. - Stapling is intentionally skipped — `xcrun stapler` only operates on .app/.dmg/.pkg containers, not on bare Mach-O executables. Gatekeeper verifies the ticket online at first launch instead. - API key file is written to `$RUNNER_TEMP` with chmod 600 and removed unconditionally via `trap`. Windows: - Switch the matrix entry from `windows-latest` to the self-hosted `windows-on-macmini02-x64` runner that already hosts the signing certificate in its Windows Certificate Store (same runner used by backend.ai-go). - Sign all-smi.exe with `signtool sign /tr http://ts.ssl.com/ /td sha256 /fd sha256 /a` before the `Compress-Archive` step so the released zip contains the signed binary. - Verify with `signtool verify /pa` (warn-only on transient verification failure). - Pin CARGO_HOME / RUSTUP_HOME to persistent paths outside GITHUB_WORKSPACE so the registry survives workspace cleanup; skip the actions/cache step on this runner since the persistent paths already handle it. Closes #242
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings the release pipeline to parity with
backend.ai-go's packaging workflow so published artifacts are trusted by Gatekeeper and SmartScreen out of the box. All changes are confined to.github/workflows/release.yml.macOS — added notarization after existing codesign
ditto'd zip of the already-codesigned binary toxcrun notarytool submit --waitusing the App Store Connect API key (AC_API_KEY_ID/AC_API_ISSUER_ID/AC_API_PRIVATE_KEY_P8secrets — already configured in thepackagingenvironment but previously unused).Invalid/Rejected, fetchxcrun notarytool log <id>for diagnostics before failing the job.spctl --assess --type execute --verbose; treat ticket-propagation lag as a warning (not a hard failure) since Gatekeeper checks online at first launch regardless.xcrun stapleronly operates on.app/.dmg/.pkgcontainers, not on bare Mach-O executables. The notarization ticket lives on Apple's servers and Gatekeeper fetches it online — no offline ticket is needed for a single-binary CLI.$RUNNER_TEMPwithchmod 600and removed unconditionally viatrap cleanup EXIT.Windows — switched to self-hosted runner and added
signtooloschanged fromwindows-latest→windows-on-macmini02-x64, the same self-hosted runner used bybackend.ai-go. Certificate is already installed in the Windows Certificate Store on that runner.all-smi.exewithsigntool sign /tr http://ts.ssl.com/ /td sha256 /fd sha256 /abefore theCompress-Archivestep so the released.zipcontains the signed.exe.signtool verify /pa(warn-only — verification can lag right after signing on the timestamp authority).CARGO_HOME/RUSTUP_HOMEtoC:\.cargo/C:\.rustupoutsideGITHUB_WORKSPACEso the registry survives workspace cleanup between jobs.actions/cachestep on this runner since the persistent paths already handle caching; keeping it would only mirror an empty~/.cargo.Out of scope (per #242)
.pkg/.dmginstallers for macOS (stays single-binary)ci.yml(still runs onwindows-latest)Test plan
This workflow only triggers on
release: publishedandworkflow_dispatch. Validation needs to happen on the next release or a manual dispatch:workflow_dispatchagainst a draft tag (or wait for the next published release) and confirm:Notarize macOS binarystep runs to completion withstatus: Acceptedandspctl --assessreports the binary is trustedwindows-on-macmini02-x64(not GitHub-hosted),Sign Windows binary with signtoolstep exits 0, signedall-smi-windows-x86_64.zipis uploadedspctl --assess --verbose --type execute /path/to/all-smireportsacceptedandNotarized Developer IDGet-AuthenticodeSignature .\all-smi.exereportsValidwith a non-expired timestampCache cargostep is skipped on the Windows job and present on the othersCloses #242