Conversation
Signed-off-by: philippe-ynput <philippe@ynput.io>
Signed-off-by: philippe-ynput <philippe@ynput.io>
Introduce `AYON_APPLE_CODESIGN` environment variable to control code signing independently from notarization. Notarization now requires both `AYON_APPLE_CODESIGN=1` and `AYON_APPLE_NOTARIZE=1` to be set. Update CI workflows to conditionally enable signing and notarization based on release events or manual input via new `enable_macos_signing` parameter. This allows non-release CI builds to skip signing while maintaining backward compatibility with existing release workflows. Changes include: - Add `enable_macos_signing` input to build_launcher workflow - Conditionally execute signing steps in macOS build job - Update build scripts to respect `AYON_APPLE_CODESIGN` flag - Add helper functions for checking signing/notarization status - Update documentation with new environment variable and usage examples Signed-off-by: philippe-ynput <philippe@ynput.io>
There was a problem hiding this comment.
Pull request overview
Improves macOS build/release ergonomics by making code signing and notarization explicitly controllable in both local builds and GitHub Actions, allowing non-release CI builds to skip signing/notarization while keeping release behavior intact.
Changes:
- Adds
AYON_APPLE_CODESIGNas a build flag and wires it into local build scripting and CI workflow env. - Refactors macOS notarization gating in
tools/build_post_process.pyto avoid notarizing unsigned artifacts (and adds command timing logs). - Updates macOS build documentation to explain the new flags and provide CI/local examples.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
tools/make.sh |
Adds AYON_APPLE_CODESIGN gating for app bundle signing (and skip messaging). |
tools/build_post_process.py |
Centralizes “codesign/notarize enabled” checks; notarization now requires signing to be enabled. |
.github/workflows/build_launcher.yml |
Adds enable_macos_signing input and conditionally enables cert import/notarization + sets env flags. |
.github/workflows/create_release.yml |
Ensures release builds call the reusable build workflow with macOS signing enabled. |
docs/build_guides/macos.md |
Documents the new env var and CI/local usage patterns. |
tools/macos/SIGNING_CONFIG.md |
Expands signing/notarization configuration guidance and examples to include AYON_APPLE_CODESIGN. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
| enable_macos_signing: | ||
| description: 'Enable macOS signing and notarization' | ||
| required: false | ||
| default: false |
There was a problem hiding this comment.
Is workflow_call used when the release with published is triggered? If yes then the default should be true.
| default: false | |
| default: true |
There was a problem hiding this comment.
# File: .github/workflows/create_release.yml
112: build:
113: needs: release
114: uses: ./.github/workflows/build_launcher.yml
115: with:
116: tag_name: ${{ needs.release.outputs.version }}
117: enable_macos_signing: true
118: secrets: inherit
119: it is explicitly set here @iLLiCiTiT.
There was a problem hiding this comment.
If we'd make release manually (for whatever reason) without create_release, this will be triggered.
There was a problem hiding this comment.
I still think we should change this. If we'd do manual release, e.g. because we don't want to merge changes to main, we still want to create signed macOs build.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: philippe-ynput <philippe@ynput.io>
…ndling Signed-off-by: philippe-ynput <philippe@ynput.io>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| is_true() { | ||
| case "$(printf '%s' "$1" | tr '[:upper:]' '[:lower:]')" in | ||
| 1|true|yes|on) return 0 ;; | ||
| *) return 1 ;; | ||
| esac |
There was a problem hiding this comment.
AYON_APPLE_CODESIGN is parsed as a loose boolean here (1|true|yes|on) via is_true, but in tools/build_post_process.py it is treated as enabled only when the value is exactly "1". This makes codesign/notarize behavior inconsistent across the pipeline (e.g., AYON_APPLE_CODESIGN=true would sign in make.sh but be treated as disabled in post-processing). Consider standardizing on the repo’s existing "1"/"0" convention (e.g., [ "${AYON_APPLE_CODESIGN:-1}" == "1" ]) and dropping/limiting is_true for this flag.
| | Variable | Required | Description | | ||
| | --- | --- | --- | | ||
| | `AYON_APPLE_CODESIGN` | No | Set to `1` to enable code signing, or `0` to skip signing entirely (default) | | ||
| | `AYON_APPLE_SIGN_IDENTITY` | Yes (for signing) | Certificate identity (name or hash) | | ||
| | `AYON_APPLE_TEAM_ID` | No | Team ID for hardened runtime (10 chars) | | ||
| | `AYON_APPLE_ENTITLEMENTS` | No | Path to entitlements file (defaults to `tools/macos/ayon.entitlements`) | | ||
| | `AYON_APPLE_NOTARIZE` | No | Set to `1` to enable notarization submission | | ||
| | `AYON_APPLE_NOTARIZE` | No | Set to `1` to enable notarization submission (only applied when `AYON_APPLE_CODESIGN=1`) | |
There was a problem hiding this comment.
The AYON_APPLE_CODESIGN description says “skip signing entirely (default)”, but the implementation defaults to enabled (AYON_APPLE_CODESIGN defaults to "1" in both tools/make.sh and tools/build_post_process.py). Please correct the docs to reflect the actual default behavior (enabled unless explicitly set to 0).
| process.wait() | ||
|
|
||
| elapsed = time.time() - start | ||
| _logger.info(f"Command took {datetime.timedelta(seconds=elapsed)}") |
There was a problem hiding this comment.
This log line reports only the elapsed time but not which command it applies to, which makes CI logs hard to interpret when many commands run. Consider including a short command identifier (e.g., the first arg / joined args) or logging this at debug level to avoid noisy, context-free info logs.
| _logger.info(f"Command took {datetime.timedelta(seconds=elapsed)}") | |
| cmd_display = " ".join(args) | |
| _logger.info( | |
| "Command '%s' took %s", | |
| cmd_display, | |
| datetime.timedelta(seconds=elapsed), | |
| ) |
This pull request introduces improved control over macOS code signing and notarization for both local builds and CI workflows. It adds a new
AYON_APPLE_CODESIGNenvironment variable and associated workflow inputs to allow explicit enabling or disabling of signing and notarization, making it easier to skip these steps for non-release builds. Documentation has been updated to clarify the new workflow and environment variables, and the build scripts have been refactored to consistently honor these settings.Build and CI workflow improvements:
enable_macos_signinginput to the GitHub Actions workflow (.github/workflows/build_launcher.yml) and updated the workflow logic to enable or disable code signing and notarization based on this input or the event type. TheAYON_APPLE_CODESIGNandAYON_APPLE_NOTARIZEenvironment variables are now set accordingly, allowing fine-grained control over signing in CI.tools/make.sh) to check theAYON_APPLE_CODESIGNvariable (defaulting to enabled) and skip code signing when set to0, providing clear messaging when signing is skipped.Build logic and environment variable handling:
tools/build_post_process.pyto introduce helper functions for checking if code signing and notarization are enabled, ensuring notarization is only attempted if signing is enabled. This prevents accidental notarization attempts on unsigned builds and logs a warning if such a configuration is detected. Also added timing logs for command execution.Documentation updates:
docs/build_guides/macos.mdandtools/macos/SIGNING_CONFIG.mdto document the newAYON_APPLE_CODESIGNvariable, clarify when notarization is performed, and provide clear examples for enabling/disabling signing and notarization in both local and CI environments. Added notes recommending the use of certificate hashes in CI.These changes make the macOS build process more flexible and robust, especially for differentiating between release and non-release (CI) builds.
closes #187