Skip to content

Distribution: CI, release pipeline, macOS signing & notarization#2

Merged
byshing merged 17 commits into
masterfrom
feature/distribute
May 15, 2026
Merged

Distribution: CI, release pipeline, macOS signing & notarization#2
byshing merged 17 commits into
masterfrom
feature/distribute

Conversation

@byshing
Copy link
Copy Markdown
Collaborator

@byshing byshing commented May 15, 2026
edited
Loading

Summary

  • .github/workflows/ci.yml — runs cargo test on every push to master and PR; installs libdbus-1-dev for Linux
  • .github/workflows/release.yml — cargo-dist release pipeline for all 5 targets (macOS arm64/x86, Linux arm64/x86, Windows x86) with GitHub Attestations
  • install.sh — reverted pre-launch gh CLI workarounds to plain curl for public distribution
  • dist-workspace.toml — macOS signing, hardened runtime, notarization, libdbus-1-dev for Linux, aarch64-apple-darwin pinned to macos-15, custom secret name mappings

GitHub Secrets required

Secret Purpose
APPLE_CERTIFICATE Base64-encoded Developer ID Application .p12
APPLE_CERTIFICATE_PASSWORD .p12 export password
APPLE_CODESIGN_IDENTITY Developer ID Application: HDR BMEX Limited (9UL94MA5KD)
APPLE_TEAM_ID 9UL94MA5KD
APPLE_NOTARIZE_ID app.developers@bitmex.com
APPLE_NOTARIZE_PASSWORD App-specific password from appleid.apple.com

Test results (v1.0.0-alpha.2)

  • ✅ All 5 targets build successfully
  • ✅ macOS binaries signed with Developer ID
  • ✅ macOS binaries notarized (hardened runtime enabled)
  • ✅ Linux builds include libdbus-1-dev
  • ✅ Windows build passes

To ship v1.0.0

  1. Merge this PR
  2. Make the repo public on GitHub
  3. git tag v1.0.0 && git push origin v1.0.0

🤖 Generated with Claude Code

yshing and others added 17 commits May 15, 2026 10:42
@yshing @claude @byshing
Add GitHub Actions release CI and make install.sh public-ready
eb41dec 
- Generate .github/workflows/release.yml via cargo-dist for cross-platform
  builds on macOS arm64/x86, Linux arm64/x86, and Windows x86
- Remove allow-dirty = ["ci"] from dist-workspace.toml so dist can manage CI
- Revert install.sh TEMP pre-launch blocks: replace gh CLI calls with curl
  for tag lookup, binary download, and source tarball download

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@yshing @claude @byshing
Add CI workflow to run unit tests on push and PRs
bfe3e77 
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@yshing @claude @byshing
Fix CI: install libdbus-1-dev for keyring crate on Linux
b0eb2e9 
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@yshing @claude @byshing
Add macOS code signing via cargo-dist
f61410f 
Sets macos-sign = true in dist-workspace.toml; regenerates release.yml
to pass CODESIGN_CERTIFICATE, CODESIGN_CERTIFICATE_PASSWORD, and
CODESIGN_IDENTITY secrets to macOS build runners.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@yshing @claude @byshing
Map CODESIGN_* to APPLE_* secret names in release workflow
6e7ff6b 
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@yshing @claude @byshing
Temporarily set pr-run-mode to upload for build test
f054b7f 
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@yshing @claude @byshing
Add allow-dirty = ["ci"] to skip dist staleness check on custom secre…
36e324d 
…t names

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@yshing @claude @byshing
Declare libdbus-1-dev system dependency for Linux builds
3d6e89e 
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@yshing @byshing
Re-trigger build after secret update
cd9ff42
@yshing @claude @byshing
Fix dist.dependencies syntax for libdbus-1-dev
2c7888e 
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@yshing @claude @byshing
Pin aarch64-apple-darwin to macos-15 runner for PKCS12 compatibility
72d76d0 
macOS 14 rejects OpenSSL 3.x p12 format; macos-15 handles it correctly.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@byshing @claude
Add macOS notarization, revert pr-run-mode to plan, bump to 1.0.0-alp…
9c15589 
…ha.1

- Add APPLE_NOTARIZE_* secrets and notarize step to release workflow;
  step runs only on macOS targets and only on tag releases
- Revert pr-run-mode from upload back to plan
- Bump version to 1.0.0-alpha.1 for pre-release testing

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@byshing @claude
Reuse APPLE_TEAM_ID for notarization team ID
ccbba1b 
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@byshing @claude
Fix notarize step: extract binary from dist tarball
b1d3170 
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@byshing @claude
Enable hardened runtime for notarization (CODESIGN_OPTIONS=runtime)
457e94c 
Apple rejects notarization submissions without hardened runtime enabled.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@byshing @claude
Bump version to 1.0.0-alpha.2
5bd5ccd 
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@byshing @claude
Revert version to 1.0.0
8178aeb 
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@byshing byshing merged commit ad826a6 into master May 15, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@byshing @yshing