configure darwin build with code signing

daveshanley · daveshanley · commit b190bb9a93e4 · 2026-04-11T10:20:04.000-04:00
man, what a goddammed pain in the ass.
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -38,6 +38,11 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GH_PAT }}
           CHOCOLATEY_API_KEY: ${{ secrets.CHOCOLATEY_API_KEY }}
+          MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+          MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
+          MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
 
   publish_npm:
     if: success() || failure()
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -5,16 +5,24 @@ before:
     # You may remove this if you don't use go modules.
     - go mod tidy
 builds:
-  - env:
+  - id: default
+    env:
       - CGO_ENABLED=0
     goos:
       - linux
       - windows
-      - darwin
     goarch:
       - amd64
       - arm64
       - "386"
+  - id: darwin
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
 archives:
   - name_template: >-
       {{ .ProjectName }}_
@@ -32,6 +40,21 @@ changelog:
     exclude:
       - '^docs:'
       - '^test:'
+notarize:
+  macos:
+    - enabled: '{{ isEnvSet "MACOS_SIGN_P12" }}'
+      ids:
+        - darwin
+      sign:
+        certificate: "{{.Env.MACOS_SIGN_P12}}"
+        password: "{{.Env.MACOS_SIGN_PASSWORD}}"
+      notarize:
+        issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}"
+        key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}"
+        key: "{{.Env.MACOS_NOTARY_KEY}}"
+        wait: true
+        timeout: 20m
+
 homebrew_casks:
   - repository:
       owner: pb33f
@@ -44,7 +67,10 @@ homebrew_casks:
     homepage: "https://pb33f.io/openapi-changes"
     description: "The worlds sexiest OpenAPI diffing and change detection engine"
 
-    binary: openapi-changes
+    hooks:
+      post:
+        install: |
+          system_command "/usr/bin/xattr", args: ["-dr", "com.apple.quarantine", "#{staged_path}/openapi-changes"]
 
 snapshot:
   version_template: "{{ .Tag }}"
