Skip to content

ci(release): add tag-triggered signed release workflow#10

Merged
yves-vogl merged 1 commit into
mainfrom
ci/signed-release-workflow
Jul 14, 2026
Merged

ci(release): add tag-triggered signed release workflow#10
yves-vogl merged 1 commit into
mainfrom
ci/signed-release-workflow

Conversation

@yves-vogl

Copy link
Copy Markdown
Contributor

Summary

Adds .github/workflows/release.yml, a new tag-triggered release workflow. It does not modify ci.yml or any other existing workflow file.

  • Trigger: only fires on pushes of tags matching v* (e.g. v1.0.0). It never runs on pull requests or pushes to main.
  • macOS job (release-macos, macos-14): builds the AU/VST3/Standalone targets universal (arm64 + x86_64) with Ninja, imports the Developer ID signing certificate into a throwaway keychain (deleted in an if: always() cleanup step), codesigns, notarizes via notarytool, staples, zips, and uploads the asset to the GitHub release for the tag.
  • Windows job (release-windows, windows-latest): builds VST3/Standalone, packages them unsigned by design, and uploads to the same release.
  • Permissions: contents: write only, scoped to attaching release assets.
  • Artefact-path resolution uses a find-based lookup (mirroring ci.yml's "Locate plugin artefacts" step) instead of a hardcoded Release/ subfolder, since JUCE's output layout depends on whether the generator is single- or multi-config — same caveat ci.yml already documents for the VST3/AU lookup there.

Dependencies

The macOS job depends on these org-level secrets, which Yves is adding separately:

  • APPLE_API_KEY_ID
  • APPLE_API_ISSUER_ID
  • APPLE_API_KEY_P8
  • APPLE_CERT_P12
  • APPLE_CERT_PASSWORD

Until those are in place, pushing a v* tag would fail at the signing/notarization step — this is safe (no secrets are exposed, no partial/unsigned macOS asset gets published) and expected until the secrets are added.

Test plan

  • YAML parses (python3 -c "import yaml; yaml.safe_load(open('.github/workflows/release.yml'))")
  • Does not touch ci.yml or any other existing file under .github/
  • Normal CI (ci.yml) is green on this PR — this new workflow does not run on PRs, only on v* tag pushes
  • End-to-end signed release verified once Yves adds the Apple secrets and a v* tag is pushed (out of scope for this PR)

🤖 Generated with Claude Code

@yves-vogl
yves-vogl merged commit 2dd553f into main Jul 14, 2026
2 checks passed
@yves-vogl
yves-vogl deleted the ci/signed-release-workflow branch July 14, 2026 21:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant