fix: require signed and notarized mac releases

[felippe-alves]

Summary

• wire macOS CI packaging to Developer ID signing and Apple notarization secrets
• fail tagged macOS releases before packaging if signing/notarization secrets are missing
• make the notarization hook fail closed for release builds while still allowing unsigned local builds
• add @electron/notarize as a direct dev dependency because the hook imports it directly

Verification

• node -c scripts/notarize.js
• notarization hook local no-credential skip scenario
• notarization hook release no-credential fail-closed scenario
• ruby YAML parse for .github/workflows/build.yml
• corepack pnpm install --frozen-lockfile --ignore-scripts
• corepack pnpm test

Summary by CodeRabbit

• Chores
  • Enhanced macOS build validation to check for required notarization credentials during release builds.
  • Improved notarization process with support for multiple authentication methods.
  • Optimized build pipeline configuration for macOS packaging.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR implements macOS app notarization support with dual authentication methods. The notarization script handles Apple ID and App Store Connect API key credentials, validates release builds, manages temporary key files, and integrates into the build workflow with pre-flight secret validation and environment variable provisioning.

Changes

macOS Notarization Feature

Layer / File(s)	Summary
Notarization script and dependencies package.json, scripts/notarize.js	Adds @electron/notarize dependency. Implements credential resolution for Apple ID and API key auth, including temporary .p8 file creation/cleanup, release-build gating, and signing credential validation.
Notarization runtime execution scripts/notarize.js	Constructs appPath, resolves notarization options from environment, validates credentials with release-build enforcement, imports and invokes @electron/notarize with resolved options, and guarantees cleanup via finally.
Build workflow validation and environment setup .github/workflows/build.yml	Adds pre-packaging secrets validation step for tag builds that checks for certificate and Apple ID/API key credentials. Updates packaging step environment to pass all signing/notarization secrets and enables debug logging.

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Notarization hops into place,

Apple IDs and keys embrace,

Secrets validated before the pack,

Debug logs light the bumpy track,

macOS signs with cryptographic grace! 🔐

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The pull request description provides clear summary points and detailed verification steps, but does not follow the template structure with required sections like Type of Change, Related Issues, and Checklist.	While the description content is substantial and specific, consider formatting it to match the template with Type of Change checkboxes, Related Issues section, and Testing/Checklist completion.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main objective: ensuring macOS releases are signed and notarized by adding validation and credential checks to the CI workflow.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/build.yml (1)

79-119: ⚡ Quick win

Move secret validation ahead of pnpm build.

On tag builds, missing signing/notarization secrets still burn a full macOS build before this step fails. Running this check right after dependency installation keeps the new fail-fast behavior while saving runner time.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 79 - 119, The "Verify mac signing
secrets" step currently runs after the macOS build and should be moved to run
earlier to fail-fast; relocate the step named "Verify mac signing secrets" so it
executes immediately after dependency installation (i.e., right after the
workflow step that runs "pnpm install" or the job step that installs
dependencies) and before the "pnpm build" (or any macOS build) step; keep the
exact env and validation logic intact but change its position in the job
sequence so tag builds validate MAC_CSC_LINK / MAC_CSC_KEY_PASSWORD and either
the APPLE_ID/APPLE_APP_SPECIFIC_PASSWORD/APPLE_TEAM_ID trio or
APPLE_API_KEY/APPLE_API_KEY_ID/APPLE_API_ISSUER trio before running the build.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/notarize.js`:
- Around line 71-73: The current if-block uses the wrong condition and omits
APPLE_TEAM_ID: update the incomplete-credentials check (the if near the throw
that references appleIdEnv) to treat APPLE_TEAM_ID as part of the required set
and to throw only when there is a partial configuration (i.e., at least one of
appleIdEnv is set but not all). Concretely, include "APPLE_TEAM_ID" in
appleIdEnv if not already, compute missing = appleIdEnv.filter(k =>
!process.env[k]) and if (missing.length > 0 && appleIdEnv.some(k =>
process.env[k])) throw an Error listing the missing keys (use appleIdEnv.join or
missing.join for the message) so partial configs are flagged.

---

Nitpick comments:
In @.github/workflows/build.yml:
- Around line 79-119: The "Verify mac signing secrets" step currently runs after
the macOS build and should be moved to run earlier to fail-fast; relocate the
step named "Verify mac signing secrets" so it executes immediately after
dependency installation (i.e., right after the workflow step that runs "pnpm
install" or the job step that installs dependencies) and before the "pnpm build"
(or any macOS build) step; keep the exact env and validation logic intact but
change its position in the job sequence so tag builds validate MAC_CSC_LINK /
MAC_CSC_KEY_PASSWORD and either the
APPLE_ID/APPLE_APP_SPECIFIC_PASSWORD/APPLE_TEAM_ID trio or
APPLE_API_KEY/APPLE_API_KEY_ID/APPLE_API_ISSUER trio before running the build.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: f1cc0f8a-a2c0-4850-b3e4-b272c4b077f6

📥 Commits

Reviewing files that changed from the base of the PR and between fffd46b and 3e24948.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .github/workflows/build.yml
• package.json
• scripts/notarize.js

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Treat APPLE_TEAM_ID as part of the incomplete Apple ID check.

With only APPLE_TEAM_ID set, this falls through as “no credentials” instead of flagging a partial Apple ID configuration. That makes local misconfigurations easy to miss and downgrades tagged builds to the generic error path.

Proposed fix

-  if (process.env.APPLE_ID || process.env.APPLE_APP_SPECIFIC_PASSWORD) {
+  if (hasSomeEnv(appleIdEnv)) {
     throw new Error(`Incomplete Apple ID notarization credentials. Required: ${appleIdEnv.join(", ")}`);
   }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/notarize.js` around lines 71 - 73, The current if-block uses the
wrong condition and omits APPLE_TEAM_ID: update the incomplete-credentials check
(the if near the throw that references appleIdEnv) to treat APPLE_TEAM_ID as
part of the required set and to throw only when there is a partial configuration
(i.e., at least one of appleIdEnv is set but not all). Concretely, include
"APPLE_TEAM_ID" in appleIdEnv if not already, compute missing =
appleIdEnv.filter(k => !process.env[k]) and if (missing.length > 0 &&
appleIdEnv.some(k => process.env[k])) throw an Error listing the missing keys
(use appleIdEnv.join or missing.join for the message) so partial configs are
flagged.