Skip to content

ci: macOS .dmg release pipeline (arm64 + Intel) + README polish#3

Merged
Cmochance merged 3 commits into
mainfrom
release-pipeline
Jun 1, 2026
Merged

ci: macOS .dmg release pipeline (arm64 + Intel) + README polish#3
Cmochance merged 3 commits into
mainfrom
release-pipeline

Conversation

@Cmochance
Copy link
Copy Markdown
Owner

@Cmochance Cmochance commented Jun 1, 2026
edited
Loading

概述

参考 codex-app-transfer,新增 GitHub Actions 自动打包 pipeline。第一版聚焦 macOS .app + .dmg(arm64 + Intel),重点把签名做对避免"打包出来不可用"。(.pkg / Windows .exe 已在本地验证可行,但 Windows 未真机回归且会因 releaseneeds: build 阻塞发布,故第一版先不启用,后续再加。)

触发

push tag v*(如 v0.1.0)或手动 workflow_dispatch(填 version);校验 tag 版本 == tauri.conf.json(现 0.1.0)。

签名(重点)

  • macOS 默认 ad-hoc 签名(APPLE_SIGNING_IDENTITY="-"):完全未签的 .app 在 macOS 15+ 被 Gatekeeper 报"已损坏";ad-hoc 签后可"右键→打开"。本地真打验证:Signature=adhoccodesign --verify --deep --strict 通过、.dmg(13.95MB)hdiutil verify VALID。
  • 可选升级:配齐 6 个 APPLE_* secrets → 自动真签名 + 公证(双击即用)。
  • 每平台 upload 前验证(codesign / hdiutil / 大小),坏包早 fail;每产物附 .sha256;发 draft release

README

  • 顶部新增已适配应用清单(Codex Desktop / Antigravity)
  • 下载段更新为两个 macOS .dmg 资产 + ad-hoc 右键打开说明 + SHA256 校验

合并后

gh workflow run release.yml -f version=0.1.0 即可真打 arm64 + Intel 两个 dmg,出 draft release 验证。

@Cmochance
ci: add multi-platform release workflow (.dmg / .pkg / .exe)
68db0d8 
GitHub Actions release pipeline (push tag v* or workflow_dispatch):
- macOS arm64 (macos-14) + Intel x64 (macos-15-intel): cargo tauri build
  app,dmg, then productbuild a .pkg from the bundled .app
- Windows x64: NSIS .exe

Signing: macOS uses ad-hoc identity by default (APPLE_SIGNING_IDENTITY="-")
so the .app/.dmg/.pkg are openable via right-click — a fully unsigned .app is
rejected outright by Gatekeeper on macOS 15+ ("damaged"). Optional Apple
Developer ID + notarization kicks in automatically if the APPLE_* secrets are
configured. Windows .exe is unsigned (SmartScreen warning, still usable).

Each platform verifies its artifacts before upload (codesign --verify --deep
--strict, hdiutil verify, pkg payload check, PE32 + size for .exe), ships a
.sha256 sidecar, and uploads to a draft release. Locally validated the full
macOS chain (build -> ad-hoc sign -> dmg -> productbuild pkg -> verify).

README: document the release assets, the ad-hoc Gatekeeper right-click-open
caveat, the Windows SmartScreen / macOS-only-runtime notes, and SHA256 verify.
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 68db0d8af2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/release.yml Outdated
devin-ai-integration[bot]
devin-ai-integration Bot reviewed Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 potential issue.

View 5 additional findings in Devin Review.

Open in Devin Review

Comment thread .github/workflows/release.yml
Cmochance added 2 commits June 1, 2026 16:31
@Cmochance
ci: scope first release to macOS .app + .dmg (arm64 + Intel)
7f82b76 
Drop the .pkg productbuild step and the Windows .exe job for the first release —
keep it to the locally-validated macOS dmg path (arm64 + Intel). The Windows
build is untested and, since `release` needs all build jobs, a Windows failure
would block the whole release; .pkg / Windows can be re-added later.

README download section trimmed to the two macOS .dmg assets.
@Cmochance
docs: add supported-apps list near the top of the README
8911b62
@Cmochance Cmochance changed the title ci: multi-platform release workflow (.dmg / .pkg / .exe) ci: macOS .dmg release pipeline (arm64 + Intel) + README polish Jun 1, 2026
@Cmochance Cmochance merged commit ea77cee into main Jun 1, 2026
2 checks passed
@Cmochance Cmochance deleted the release-pipeline branch June 1, 2026 08:41
@Cmochance Cmochance mentioned this pull request Jun 1, 2026
Merged
Cmochance added a commit that referenced this pull request Jun 1, 2026
@Cmochance
ci: harden release workflow against shell injection via version input (
6f0c311 
…#4)

Pass github.event.inputs.version / steps.ver.outputs.version through env vars
instead of interpolating ${{ }} directly into run: shell blocks (CWE-78). A
workflow_dispatch version like $(...) would otherwise be evaluated by the shell.
matrix.* / with: usages are repo-controlled or not shell-evaluated and unchanged.

Addresses devin-ai-integration PR #3 review.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Cmochance