Skip to content

fix: unify release workflows and fix code signing#64

Merged
K9i-0 merged 2 commits intodevelopfrom
fix/workflow-code-signing
Jul 6, 2025
Merged

fix: unify release workflows and fix code signing#64
K9i-0 merged 2 commits intodevelopfrom
fix/workflow-code-signing

Conversation

@K9i-0
Copy link
Owner

@K9i-0 K9i-0 commented Jul 6, 2025

Summary

  • Fixed code signing issue in release-dev.yml workflow
  • Created reusable workflow for common build/sign logic
  • Updated certificate handling to match working implementation

Changes

  1. Created .github/workflows/build-and-sign.yml

    • Reusable workflow for build, sign, DMG creation, and notarization
    • Reduces code duplication between release workflows
    • Based on working implementation from main branch

  2. Fixed release-dev.yml

    • Added missing keychain setup steps (list-keychains, default-keychain)
    • Migrated to use the reusable workflow
    • Kept dev-specific logic (version suffix, prerelease flag)

  3. Updated release-stable.yml

    • Updated signing implementation to match main branch
    • Added debug logging for certificate issues
    • Improved error handling

Problem

The release-dev workflow was failing with "The specified item could not be found in the keychain" error because the keychain wasn't properly added to the search list.

Solution

Added the missing keychain configuration steps that exist in the main branch's release.yml:

security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed 's/"//g')
security default-keychain -s "$KEYCHAIN_PATH"

Test Plan

  • Push to develop branch to trigger release-dev workflow
  • Verify code signing succeeds with Developer ID certificate
  • Verify DMG is properly signed and notarized
  • Test stable release workflow still works correctly

🤖 Generated with Claude Code

@K9i-0
fix: unify release workflows and fix code signing in dev workflow
3a3192c 
- Create reusable build-and-sign.yml workflow for common build/sign logic
- Fix release-dev.yml keychain setup (add list-keychains and default-keychain)
- Update release-stable.yml signing to match main branch implementation
- Add proper debug logging for certificate issues
- Improve error handling in signing process
@github-actions
Copy link

github-actions bot commented Jul 6, 2025

❌ Version Update Required

This PR is merging to develop but the version in Info.plist has not been updated.

Current version: 0.7.1
PR version: 0.7.1

Please update the version number in Info.plist before this PR can be merged.

How to update:

  1. Edit Info.plist
  2. Update both CFBundleShortVersionString and CFBundleVersion values to the same version
  3. Commit and push the changes

Or use the update script:

./scripts/update-version.sh patch  # or minor/major

The version should follow semantic versioning (x.y.z format).

@K9i-0 K9i-0 requested a review from Copilot July 6, 2025 04:28
Copilot AI reviewed Jul 6, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR refactors the release workflows to use a shared build-and-sign workflow and fixes missing code-signing keychain steps.

  • Introduces a reusable build-and-sign.yml for building, signing, DMG creation, and notarization
  • Updates release-dev.yml to call the new reusable workflow and adds proper keychain setup
  • Enhances release-stable.yml with dynamic certificate lookup, debug logging, and improved error handling

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
.github/workflows/build-and-sign.yml New reusable workflow handling build, signing, DMG, notarization
.github/workflows/release-dev.yml Switched to reusable workflow, added missing keychain steps and outputs
.github/workflows/release-stable.yml Updated signing logic to dynamically find certificates, added debug logs and error checks
Comments suppressed due to low confidence (4)

.github/workflows/release-dev.yml:46

  • The indentation for CERTIFICATES_PASSWORD under secrets: is misaligned; this can cause YAML parsing errors and prevent the password from being set. Align it with CERTIFICATES_P12.
      CERTIFICATES_PASSWORD: ${{ secrets.CERTIFICATES_PASSWORD }}

.github/workflows/release-stable.yml:147

  • [nitpick] Consider removing or gating these extensive debug logging steps once the signing process is stable to reduce CI log noise or extracting them behind a verbose flag.
        # Debug: Check certificate availability

.github/workflows/build-and-sign.yml:145

  • [nitpick] This debug log is duplicated with similar steps in the stable workflow; consider consolidating debug logic into a single reusable step or enabling it via an input flag.
        echo "=== Available certificates in keychain ==="

.github/workflows/build-and-sign.yml:40

  • [nitpick] Pinning to Xcode_15.2.app may require updates when new Xcode versions are released; consider making the Xcode version configurable via a workflow input.
      run: sudo xcode-select -s /Applications/Xcode_15.2.app

@K9i-0 K9i-0 merged commit b340da7 into develop Jul 6, 2025
8 checks passed
@K9i-0 K9i-0 deleted the fix/workflow-code-signing branch July 6, 2025 04:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@K9i-0