Fold macOS desktop release flow into tag release workflow

Author: lightsofapollo

.github/RELEASE_SETUP.md

@@ -1,7 +1,7 @@
 # Release Setup
 
 This project ships:
-- signed macOS `.app` and `.dmg` (manual test workflow)
+- signed/notarized macOS `.dmg` on tag release (when Apple secrets are present)
 - tag-based GitHub Releases with `attn` CLI binaries
 - crates.io publishing for `cargo install attn`
 - npm package publishing for `npx attnmd`
@@ -13,9 +13,7 @@ This project ships:
 - `scripts/macos-create-dmg.sh`: packages and optionally signs DMG
 - `scripts/macos-notarize-dmg.sh`: notarizes and staples DMG
 - `.github/workflows/test-signing.yml`: signing smoke test
-- `.github/workflows/macos-desktop-test.yml`: build/sign/notarize artifact test
-- `.github/workflows/release.yml`: build release binaries on tag push (`v*`), publish crate, and publish npm
-  (signing/notarization remains in dedicated macOS workflows)
+- `.github/workflows/release.yml`: build release binaries on tag push (`v*`), optionally sign/notarize DMG, publish crate, and publish npm
 - `.github/workflows/npm-publish.yml`: manual fallback publisher (workflow_dispatch or release events)
 
 ## Required GitHub Secrets
@@ -66,10 +64,7 @@ scripts/macos-notarize-dmg.sh target/aarch64-apple-darwin/release/bundle/osx/att
 ## CI test run
 
 1. Run `Test Code Signing` workflow to validate cert/keychain/signing.
-2. Run `macOS Desktop Build Test` workflow:
-   - `mode=prod`
-   - `target=aarch64-apple-darwin`
-   - `notarize=true`
+2. Push a version tag (`v*`) and verify `Release` workflow completes.
 
 ## GitHub release flow (tag-based)
 
@@ -83,6 +78,7 @@ scripts/macos-notarize-dmg.sh target/aarch64-apple-darwin/release/bundle/osx/att
    - `attn-v<VERSION>-darwin-arm64`
    - `attn-v<VERSION>-darwin-x64`
    - matching `.sha256` files
+   - `attn-v<VERSION>-darwin-arm64.dmg` and checksum when notarization secrets are configured
 4. A GitHub Release for the tag is created/updated with those assets.
 5. The same workflow publishes crate `attn` to crates.io.
 6. The same workflow publishes npm package `attnmd`.

.github/workflows/macos-desktop-test.yml

@@ -10,9 +10,19 @@ permissions:
   id-token: write
 
 jobs:
-  build-binary:
-    name: Build darwin-arm64
-    runs-on: macos-14
+  build-binaries:
+    name: Build ${{ matrix.asset_suffix }}
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: macos-14
+            target: aarch64-apple-darwin
+            asset_suffix: darwin-arm64
+          - runner: macos-13
+            target: x86_64-apple-darwin
+            asset_suffix: darwin-x64
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -30,37 +40,150 @@ jobs:
           npm ci
 
       - name: Setup Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.target }}
+
+      - name: Cache Rust
+        uses: Swatinem/rust-cache@v2
+
+      - name: Build release binary
+        run: cargo build --release --target ${{ matrix.target }} --locked
+
+      - name: Prepare binary assets
+        env:
+          TAG: ${{ github.ref_name }}
+          TARGET: ${{ matrix.target }}
+          ASSET_SUFFIX: ${{ matrix.asset_suffix }}
+        run: |
+          VERSION="${TAG#v}"
+          mkdir -p dist
+          cp "target/${TARGET}/release/attn" "dist/attn-v${VERSION}-${ASSET_SUFFIX}"
+          chmod +x "dist/attn-v${VERSION}-${ASSET_SUFFIX}"
+          shasum -a 256 "dist/attn-v${VERSION}-${ASSET_SUFFIX}" > "dist/attn-v${VERSION}-${ASSET_SUFFIX}.sha256"
+
+      - name: Upload binary artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-${{ matrix.asset_suffix }}
+          path: dist/*
+          retention-days: 7
+
+  build-signed-dmg:
+    name: Build, sign & notarize DMG
+    runs-on: macos-14
+    if: ${{ secrets.APPLE_CERTIFICATE != '' && secrets.APPLE_CERTIFICATE_PASSWORD != '' && secrets.KEYCHAIN_PASSWORD != '' && secrets.APPLE_SIGNING_IDENTITY != '' && secrets.APPLE_ID != '' && secrets.APPLE_APP_SPECIFIC_PASSWORD != '' && secrets.APPLE_TEAM_ID != '' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: npm
+          cache-dependency-path: web/package-lock.json
+
+      - name: Setup Rust toolchain
         uses: dtolnay/rust-toolchain@stable
         with:
           targets: aarch64-apple-darwin
 
       - name: Cache Rust
         uses: Swatinem/rust-cache@v2
 
-      - name: Build production binary
-        run: cargo build --release --target aarch64-apple-darwin --locked
+      - name: Install cargo-bundle
+        uses: taiki-e/cache-cargo-install-action@v2
+        with:
+          tool: cargo-bundle
+
+      - name: Install frontend dependencies
+        run: |
+          cd web
+          npm ci
 
-      - name: Prepare release assets
+      - name: Import code signing certificate
+        env:
+          CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE }}
+          CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          CERTIFICATE_PATH="$RUNNER_TEMP/build_certificate.p12"
+          KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
+
+          echo -n "$CERTIFICATE_BASE64" | base64 --decode > "$CERTIFICATE_PATH" || \
+            echo -n "$CERTIFICATE_BASE64" | base64 -D > "$CERTIFICATE_PATH"
+
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security import "$CERTIFICATE_PATH" -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security list-keychain -d user -s "$KEYCHAIN_PATH"
+
+          echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
+
+      - name: Build app bundle
+        run: |
+          scripts/macos-build-bundle.sh prod aarch64-apple-darwin
+
+          APP_PATH="$(find target/aarch64-apple-darwin -path '*/bundle/osx/*.app' -maxdepth 6 | head -n1)"
+          if [ -z "$APP_PATH" ]; then
+            echo "No app bundle found" >&2
+            exit 1
+          fi
+
+          DMG_PATH="$(dirname "$APP_PATH")/attn.dmg"
+          echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV"
+          echo "DMG_PATH=$DMG_PATH" >> "$GITHUB_ENV"
+
+      - name: Sign app bundle
+        env:
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+        run: scripts/macos-sign-app.sh "$APP_PATH" "$APPLE_SIGNING_IDENTITY"
+
+      - name: Create DMG
+        env:
+          APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+        run: scripts/macos-create-dmg.sh "$APP_PATH" "$DMG_PATH"
+
+      - name: Notarize DMG
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: scripts/macos-notarize-dmg.sh "$DMG_PATH"
+
+      - name: Prepare DMG assets
         env:
           TAG: ${{ github.ref_name }}
         run: |
           VERSION="${TAG#v}"
           mkdir -p dist
-          cp "target/aarch64-apple-darwin/release/attn" "dist/attn-v${VERSION}-darwin-arm64"
-          chmod +x "dist/attn-v${VERSION}-darwin-arm64"
-          shasum -a 256 "dist/attn-v${VERSION}-darwin-arm64" > "dist/attn-v${VERSION}-darwin-arm64.sha256"
+          cp "$DMG_PATH" "dist/attn-v${VERSION}-darwin-arm64.dmg"
+          shasum -a 256 "dist/attn-v${VERSION}-darwin-arm64.dmg" > "dist/attn-v${VERSION}-darwin-arm64.dmg.sha256"
 
-      - name: Upload build artifacts
+      - name: Upload DMG artifacts
         uses: actions/upload-artifact@v4
         with:
-          name: release-darwin-arm64
+          name: release-dmg-darwin-arm64
           path: dist/*
           retention-days: 7
 
+      - name: Cleanup keychain
+        if: always()
+        run: |
+          if [ -n "${KEYCHAIN_PATH:-}" ] && [ -f "$KEYCHAIN_PATH" ]; then
+            security delete-keychain "$KEYCHAIN_PATH"
+          fi
+
   publish-release:
     name: Publish GitHub Release
     runs-on: ubuntu-latest
-    needs: build-binary
+    needs:
+      - build-binaries
+      - build-signed-dmg
+    if: ${{ always() && needs.build-binaries.result == 'success' && (needs.build-signed-dmg.result == 'success' || needs.build-signed-dmg.result == 'skipped') }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -71,11 +194,8 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           path: dist
-
-      - name: Flatten artifact directories
-        run: |
-          mkdir -p release-assets
-          find dist -type f -maxdepth 3 -exec cp {} release-assets/ \;
+          pattern: release-*
+          merge-multiple: true
 
       - name: Create or update release
         env:
@@ -89,7 +209,7 @@ jobs:
               --title "$TAG" \
               --notes "Automated release for $TAG."
           fi
-          gh release upload "$TAG" release-assets/* --clobber
+          gh release upload "$TAG" dist/* --clobber
 
   publish-crates:
     name: Publish crates.io