Skip to content

Add signed notarized macOS release pipeline#110

Open
jmcte wants to merge 4 commits into
mainfrom
codex/issue-98-signed-release
Open

Add signed notarized macOS release pipeline#110
jmcte wants to merge 4 commits into
mainfrom
codex/issue-98-signed-release

Conversation

@jmcte

@jmcte jmcte commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add a GitHub-hosted macOS release pipeline for universal signed DMGs, notarization, stapling, checksums, and public evidence
  • set the stable identifier to com.omtglobal.icloud-cli and reconcile CLI/VISION version 0.2.0
  • enable the release control plane and correct the generic-polyglot Swift archetype
  • replace source-only install guidance, add missing onboarding, document release secrets, Homebrew decision, permission-continuity validation, and GitHub security decisions

Governing Issue

Refs #98

This PR implements the repository side of #98. The issue must remain open until a maintainer provisions the protected release secrets and attaches successful notarization plus clean-account same-path TCC continuity evidence.

Validation

  • Relevant local checks passed

  • Required PR checks are expected to satisfy CI Gate

  • Skipped checks are explained below

  • bash scripts/ci/run-fast-checks.sh — passed; 110 tests, 88.58% coverage, mutation checks, debug/release builds

  • release workflow YAML parsed successfully

  • universal arm64/x86_64 DMG, checksum, strict code-sign verification, and designated-requirement output passed with the documented non-distributable ad-hoc smoke path

  • installed Developer ID identity was discovered, but noninteractive private-key access failed with errSecInternalComponent

Production notarization and clean-account TCC continuity are not claimed or skipped; they are the explicit remaining issue gates.

Bootstrap Governance

  • Changes are scoped to the linked issue
  • Contributor or PR guidance changes are reflected in CONTRIBUTING.md, .github/PULL_REQUEST_TEMPLATE.md, and docs/bootstrap/onboarding.md when applicable
  • PR author enabled auto-merge where GitHub allows it, or GitHub plan-limit evidence/unavailable reason is recorded and the fallback merge-readiness policy applies
  • No real secrets, runtime auth, or machine-local env files are committed

The generated onboarding doc now records reviewers, runner boundaries, and release environment gates.

Flow Contract

  • Owner lane: Hephaestus release engineering
  • Repair owner: jmcte
  • Autonomy class: review-gated implementation with human credential/VM validation
  • Risk class: production release and signing identity

Flow Merge Readiness

  • Every blocker has a next actor and next action
  • No active blocking requested changes remain
  • Non-author approval is present when required
  • PR author enabled auto-merge where GitHub allows it, or recorded why it is unavailable/unsafe

Next actor: release/security reviewer. After merge, a maintainer must provision the documented environment secrets and execute the first release validation.

Merge Automation

  • PR author enabled auto-merge with gh pr merge --auto --squash, or the reason it is unavailable/unsafe is noted below

Auto-merge is deferred because the production release workflow and secret contract require independent review.

Notes

  • No certificate, private key, password, token, auth state, or private test data is committed.
  • No daemon or helper is introduced solely for signing.

Hermes-omt and others added 3 commits July 11, 2026 22:44
Expose a deterministic metadata-only provider registry through JSON and text output, covering every current Apple-data command family with maturity, source, permission, sensitivity, capability, and polling declarations. Document the v1 compatibility policy.\n\nCloses #89.
Expose a versioned external manifest derived from the provider registry, document bounded local wrapper policy, and cover it with synthetic contract tests.

Co-authored-by: Hermes <Hermes-omt@protonmail.com>
Build universal macOS DMGs with stable code identity, notarization, stapling, checksums, release evidence, and governed secrets. Reconcile v0.2 versioning, bootstrap release policy, onboarding, installation, and security decisions.
@jmcte
jmcte marked this pull request as ready for review July 13, 2026 07:29
@jmcte
jmcte requested a review from a team as a code owner July 13, 2026 07:29
@jmcte
jmcte enabled auto-merge (squash) July 13, 2026 07:30

@Hermes-omt Hermes-omt left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review deferred: this head is based on 2b0bcc6a27ca2d3c84755bc21f601c33db8251fd, while current main is d7f88dc01bd283b53c55fa59ed63f43f212a50a5. Update the PR branch onto current main and allow CI to complete for the resulting head before requeueing substantive review. An isolated Hermes node checkout at the requested head was completed; no approval or change request is issued against the stale head.

@athena-omt athena-omt added status:needs-review PR is ready for Athena review. review:athena Athena review governance requested. labels Jul 17, 2026
@athena-omt athena-omt added the state:waiting-checks Waiting for CI/check status to settle. label Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

review:athena Athena review governance requested. state:waiting-checks Waiting for CI/check status to settle. status:needs-review PR is ready for Athena review.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants