feat(release): add macOS binary notarization via goreleaser (#1274)

Add notarize.macos section to .goreleaser.yaml using anchore/quill for cross-platform code signing and Apple notarization of darwin binaries. Covers all three build targets (picoclaw, picoclaw-launcher, picoclaw-launcher-tui). Notarization is gated on MACOS_SIGN_P12 being set, so releases without the secrets configured will skip this step gracefully. Required GitHub secrets: - MACOS_SIGN_P12: base64-encoded .p12 certificate - MACOS_SIGN_PASSWORD: certificate password - MACOS_NOTARY_ISSUER_ID: App Store Connect issuer UUID - MACOS_NOTARY_KEY_ID: App Store Connect API key ID - MACOS_NOTARY_KEY: base64-encoded .p8 API key Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-12 18:08:54 +00:00 · 2026-03-09 18:50:11 +08:00
parent abafa3c2aa
commit f505f009df
2 changed files with 22 additions and 0 deletions
@@ -96,6 +96,11 @@ jobs:
          GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
          DOCKERHUB_IMAGE_NAME: ${{ vars.DOCKERHUB_REPOSITORY }}
          GOVERSION: ${{ steps.setup-go.outputs.go-version }}
+          MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+          MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
+          MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}

      - name: Apply release flags
        shell: bash