fix(ci): refresh macOS daemon binaries before signing#574
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9fc935a480
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if [[ -f "${source_path}" ]]; then | ||
| cp -f "${source_path}" "${destination_path}" | ||
| chmod +x "${destination_path}" |
There was a problem hiding this comment.
daemon_source and daemonctl_source still default to the host build outputs under src-tauri/target/release, so making this copy unconditional now replaces whatever is already embedded in app_path even when the bundle is being reused from a different workspace state or architecture. In that reuse path (for example, re-signing an existing x86_64 bundle after the local checkout last built arm64 binaries), the signed app can silently ship a stale or wrong-arch nested daemon; the previous destination-exists guard was what preserved the already-matched bundle copy.
Useful? React with 👍 / 👎.
1 participant
Summary
Why
The latest failed release run died in during with an unsigned nested inside the app bundle. The helper script only replaced daemon binaries when they were missing, which let an existing stale unsigned binary survive in the Intel bundle layout.
Validation
CODESIGN_IDENTITY='Developer ID Application: Your Name (TEAMID)' scripts/macos-fix-openssl.sh