Add code signing and notarization to Bun Compile workflow#101
Add code signing and notarization to Bun Compile workflow#101
Conversation
Adds .github/workflows/bun-compile.yml that compiles the Auggie CLI into self-contained native binaries using Bun, pulling the pre-built @augmentcode/auggie package from npm. - workflow_dispatch trigger with required version input - 4 platform targets via matrix (darwin-arm64, darwin-x64, linux-x64, windows-x64) - Cross-compilation on ubuntu-latest using bun build --compile --target - Release job creates GitHub Release with all 4 binaries attached
Agent-Id: agent-42aef0a6-de54-40e7-9889-e6dc52b9645d
Agent-Id: agent-94e7274a-0a18-4a87-abb4-57e6efed6532
Agent-Id: agent-94e7274a-0a18-4a87-abb4-57e6efed6532
Agent-Id: agent-94e7274a-0a18-4a87-abb4-57e6efed6532
Addresses PR review comments: remove '0.18.1' fallback in both build and release jobs. Version is now passed via env vars and the workflow fails explicitly if no version is supplied via workflow_dispatch or repository_dispatch. Agent-Id: agent-94e7274a-0a18-4a87-abb4-57e6efed6532
…mpile workflow (#99)
🤖 Augment PR SummarySummary: Adds a GitHub Actions workflow to build self-contained Auggie CLI binaries from the published Changes:
Technical Notes: The build/release version is provided via 🤖 Was this summary useful? React with 👍 or 👎 |
![augment-app-staging[bot]](https://avatars.githubusercontent.com/in/1008152?s=60&v=4){kind=small}
| type: string | ||
| repository_dispatch: | ||
| types: [npm-published] | ||
| push: |
There was a problem hiding this comment.
Test position anchor
Severity: low
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
There was a problem hiding this comment.
Review completed. 3 suggestions posted.
Items Reviewed
- ✅ Check review guidelines
- ✅ Verify workflow triggers & version propagation
- ✅ Verify macOS signing & notarization steps
- ✅ Verify artifacts, checksums, and release creation
- ✅ Review .github/workflows/bun-compile.yml
Comment augment review to trigger a new review at any time.
| type: string | ||
| repository_dispatch: | ||
| types: [npm-published] | ||
| push: |
There was a problem hiding this comment.
Since VERSION is only populated from workflow_dispatch/repository_dispatch, any run triggered by push will hit the “No version provided” error and fail. If push runs are expected, consider how VERSION should be sourced for them.
Severity: medium
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
| contents: read | ||
| steps: | ||
| - name: Set up Bun | ||
| uses: oven-sh/setup-bun@v2 |
There was a problem hiding this comment.
This workflow handles signing/notarization secrets, but it references actions by movable tags (e.g., oven-sh/setup-bun@v2), which increases supply-chain risk if a tag is moved/compromised. Pinning actions to immutable commit SHAs would reduce that risk.
Severity: medium
Other Locations
.github/workflows/bun-compile.yml:101.github/workflows/bun-compile.yml:113
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
| APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | ||
| run: | | ||
| zip "${{ matrix.output }}.zip" "${{ matrix.output }}" | ||
| xcrun notarytool submit "${{ matrix.output }}.zip" --apple-id "$APPLE_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait |
There was a problem hiding this comment.
The workflow submits for notarization but doesn’t staple the ticket afterwards. Without stapling, some users may still see Gatekeeper prompts/errors when running the downloaded binary offline.
Severity: medium
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
There was a problem hiding this comment.
Review
This looks solid overall — the signing/notarization steps follow standard Apple practices. A few observations:
-
Missing
xcrun stapler— After notarization, you should staple the ticket to the binary:xcrun stapler staple "${{ matrix.output }}"Without this, the binary still passes Gatekeeper (Apple checks online), but stapling embeds the ticket so it works offline too. This is standard practice.
-
Keychain cleanup — The temporary
build.keychainis never deleted. Not a security risk on ephemeral GH runners, but addingsecurity delete-keychain build.keychainin a post-step would be good hygiene. -
sha256sumon macOS — The checksum step runs in thereleasejob onubuntu-latestso this is fine today, but worth noting that macOS usesshasum -a 256if the job runner ever changes. -
Merge conflicts — The PR is currently in a
dirtymergeable state and needs a rebase.
1 participant
Adds macOS code signing (Developer ID Application) and Apple notarization steps to the Bun Compile workflow for darwin binaries.
This ensures downloaded auggie binaries pass
codesign --verify --strictand are accepted by macOS Gatekeeper.Pull Request opened by Augment Code with guidance from the PR author