build(ci): wire macOS code signing + notarization into release workflow

Add a guarded "Sign & notarize macOS app" step to build.yml that signs
dist/DataTools.app with the Developer ID (hardened runtime + entitlements
+ secure timestamp), notarizes via notarytool, and staples the ticket —
running before DMG packaging. The step exits 0 with a warning when the
MACOS_* secrets are absent, so dry-run dispatches still produce an
(unsigned) build.

Add build/macos/entitlements.plist with the hardened-runtime entitlements
a frozen PyInstaller/CPython app needs (JIT memory, library-validation
disabled for bundled .so/.dylib + Tesseract). Update build/README.md to
reflect that macOS signing is now wired and only needs the secrets.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-29 22:56:17 +00:00
parent 9943e6e537
commit 41ab2166ef
3 changed files with 104 additions and 4 deletions

View File

@@ -112,12 +112,15 @@ pyinstaller build/datatools.spec --clean --noconfirm
## Signing (Phase 2 — needs accounts/credentials)
Both code-signing steps are intentionally not in CI yet because they
require credentials the owner sets up first.
**macOS signing + notarization is now wired into `build.yml`** (the
"Sign & notarize macOS app" step, with `build/macos/entitlements.plist`).
It is guarded: if `MACOS_DEVELOPER_ID_CERT_P12_BASE64` is absent the step
warns and exits 0, so dry-run dispatches still produce an unsigned build.
To activate it, just add the secrets below — no code change needed.
**Windows** code-signing is still not wired (accepted v1 friction).
**macOS** — Apple Developer Program enrollment ($99/yr). Once enrolled,
add these GitHub Secrets and uncomment the `codesign` + `notarytool`
steps in `build.yml`:
add these GitHub Secrets to activate the signing step in `build.yml`:
| Secret | Value |
|---|---|