fix: notarization key decode + self-healing rebuild + build-target selector#256
Merged
Merged
Conversation
The notarize step wrote the AC_API_PRIVATE_KEY_P8 secret to AuthKey.p8 verbatim, but the secret is stored base64-encoded (same convention as DEV_ID_CERT_P12, which import-codesign-certs consumes as base64). notarytool then failed parsing the base64 blob as a PKCS#8 key with "Error: invalidAsn1". Decode the secret back to PEM before passing it to notarytool: auto-detect raw-PEM vs base64 input, strip CR from CRLF pastes, guard against an empty secret, and validate with 'openssl pkey' so a malformed key fails with a clear message instead of the opaque notarytool error.
…tags GitHub always runs the release.yml baked into the triggering ref, so a broken step in an old tag's workflow (e.g. the notarization fix in this PR) cannot be applied by re-running that tag. Point actions/checkout at the release tag (release event) or the release_tag input (workflow_dispatch), falling back to the triggering commit. The latest workflow can now rebuild a past tag's source by dispatching from a branch carrying the fix and passing release_tag, instead of being stuck with the workflow file frozen in that tag.
Add a 'targets' workflow_dispatch input (comma-separated: windows, linux, macos, all; empty = all) so a manual run can build a subset of platforms. A new 'setup' job resolves the input into a filtered build matrix that the build job consumes via fromJSON, keeping one source of truth for the platform list; real release events always build every target. Combined with release_tag, this allows rebuilding a single platform of a past tag (e.g. re-notarize only macOS) without rebuilding everything.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Three related improvements to the release workflow: fix the macOS notarization failure, make the workflow able to rebuild old tags, and let a manual run target a subset of platforms.
1. Notarization fix —
invalidAsn1The macOS release build fails at notarization:
First run of the notarization step added in #243 (v0.21.1).
Root cause.
invalidAsn1meansxcrun notarytoolcould not parse the.p8key as a PKCS#8 (ASN.1) private key while building its App Store Connect JWT — a key-format problem, not a binary/signing problem. Code signing (which runs first) succeeds, soDEV_ID_CERT_*is fine; the issue is isolated to the API key. TheAC_API_PRIVATE_KEY_P8secret is stored base64-encoded (same convention asDEV_ID_CERT_P12, consumed as base64 byapple-actions/import-codesign-certsviap12-file-base64), but the ported step wrote it toAuthKey.p8verbatim — so notarytool received a base64 blob instead of PEM.Fix. Decode the secret back to PEM before handing it to notarytool: auto-detect raw-PEM vs base64 input, strip
CRfrom CRLF pastes, fail fast on an empty secret, and validate the materialized key withopenssl pkeyso a malformed key produces a clear warning instead of the opaqueinvalidAsn1.2. Self-healing release checkout
GitHub always executes the
release.ymlbaked into the triggering ref, so a bug in an old tag's workflow can't be fixed by re-publishing/re-running that tag — exactly why the §1 fix wouldn't retroactively apply to the v0.21.1 tag.actions/checkoutnow checks out the target tag's source (release tag for thereleaseevent, or therelease_taginput forworkflow_dispatch, falling back to the triggering commit). This decouples which workflow runs from which source is built: dispatch from a branch carrying the fixed workflow and passrelease_tag=v0.21.1, and the fixed workflow rebuilds the v0.21.1 source and uploads notarized artifacts onto that release. Asset names/protoc version are static and the binary version comes from the checked-outCargo.toml, so changing the checkout ref has no naming/version side effects.3. Build-target selector
New
targetsworkflow_dispatchinput (comma-separatedwindows,linux,macos, orall; empty = all) so a manual run can build a subset of platforms. A newsetupjob resolves the input into a filtered build matrix thatbuildconsumes viafromJSON(needs.setup.outputs.includes)— one source of truth for the platform list. Realreleaseevents always build every target (the input only filters manual dispatch). Input is case/space-insensitive and rejects unknown tokens.Combined with §2, this allows rebuilding just one platform of a past tag — e.g. re-notarize only macOS for v0.21.1 without rebuilding Linux/Windows.
Verification
opensslINVALID, reproducinginvalidAsn1.setupscript from the YAML and ran it for every input —''/all→6 targets,macos→1,linux,macos→5,Windows, MacOS→2 (case/space ok), dedup ok,bogus→exit 1.yaml.safe_load;build.needs == setupandmatrix.include == fromJSON(...)confirmed.Recovering v0.21.1 after merge
# Rebuild + re-notarize only macOS for v0.21.1: gh workflow run release.yml --repo lablup/all-smi \ --ref main -f release_tag=v0.21.1 -f targets=macos