ci: add macOS code signing and notarization to release workflow by feloy · Pull Request #71 · openkaiden/openshell-image-builder

feloy · 2026-06-04T17:00:51Z

Secrets to add (Settings → Secrets and variables → Actions):

  ┌────────────────────────────────────┬─────────────────────────────────────────┐
  │               Secret               │                  Value                  │                                                                     
  ├────────────────────────────────────┼─────────────────────────────────────────┤
  │ APPLE_SIGNING_CERTIFICATE          │ base64 < YourCert.p12 output            │
  ├────────────────────────────────────┼─────────────────────────────────────────┤
  │ APPLE_SIGNING_CERTIFICATE_PASSWORD │ Password used when exporting the .p12   │
  ├────────────────────────────────────┼─────────────────────────────────────────┤
  │ APPLE_ID                           │ Your Apple ID email                     │
  ├────────────────────────────────────┼─────────────────────────────────────────┤
  │ APPLE_ID_PASSWORD                  │ App-specific password for that Apple ID │
  ├────────────────────────────────────┼─────────────────────────────────────────┤
  │ APPLE_TEAM_ID                      │ Your 10-character Team ID               │
  └────────────────────────────────────┴─────────────────────────────────────────┘

Fixes #67

coderabbitai · 2026-06-04T17:01:02Z

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

The release workflow now includes macOS-specific code signing and notarization. After building the binary, it imports a developer signing certificate, codesigns the binary with Developer ID Application identity, notarizes it through Apple's notarytool service, and removes the temporary keychain.

Changes

macOS Code Signing and Notarization

Layer / File(s)	Summary
macOS code signing and notarization workflow steps `.github/workflows/release.yml`	Release workflow adds conditional steps for macOS that import a base64-encoded signing certificate into a temporary keychain, codesign the binary with Developer ID Application identity, notarize the binary zip via `xcrun notarytool` using Apple credentials, and clean up the temporary keychain.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding macOS code signing and notarization to the release workflow.
Description check	✅ Passed	The description is directly related to the changeset, providing context about required GitHub Actions secrets needed for the code signing and notarization implementation.
Linked Issues check	✅ Passed	The PR addresses the linked issue `#67` (sign macOS binaries) by implementing macOS code signing and notarization steps in the release workflow.
Out of Scope Changes check	✅ Passed	All changes are focused on the release workflow and directly support the objective of signing and notarizing macOS binaries; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

codecov · 2026-06-04T17:03:30Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Philippe Martin <phmartin@redhat.com>

feloy requested a review from benoitf June 4, 2026 17:01

feloy force-pushed the sign-macos-bin branch from 5d47260 to 2cd96d9 Compare June 4, 2026 17:08

benoitf approved these changes Jun 11, 2026

View reviewed changes

ci: add macOS code signing and notarization to release workflow

3d2f3bd

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Philippe Martin <phmartin@redhat.com>

feloy force-pushed the sign-macos-bin branch from 2cd96d9 to 3d2f3bd Compare June 11, 2026 08:03

feloy merged commit 792e996 into openkaiden:main Jun 11, 2026
7 of 8 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: add macOS code signing and notarization to release workflow#71

ci: add macOS code signing and notarization to release workflow#71
feloy merged 1 commit into
openkaiden:mainfrom
feloy:sign-macos-bin

feloy commented Jun 4, 2026 •

edited

Loading

Uh oh!

coderabbitai Bot commented Jun 4, 2026 •

edited

Loading

Review failed

Walkthrough

Changes

Estimated code review effort

Uh oh!

codecov Bot commented Jun 4, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

feloy commented Jun 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai Bot commented Jun 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review failed

Walkthrough

Changes

Estimated code review effort

Uh oh!

codecov Bot commented Jun 4, 2026

Codecov Report

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

feloy commented Jun 4, 2026 •

edited

Loading

coderabbitai Bot commented Jun 4, 2026 •

edited

Loading