avenga · lkmgr · Aug 26, 2025 · Aug 26, 2025 · Aug 26, 2025 · Sep 19, 2025
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -53,14 +53,10 @@ jobs:
           cache: npm
       - run: npm ci
       - run: npm run docs-test
-  release:
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+  build:
+    # if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     needs: [lint, test]
-    permissions:
-      contents: write # to be able to publish a GitHub release
-      issues: write # to be able to comment on released issues
-      pull-requests: write # to be able to comment on released pull requests
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -77,15 +73,126 @@ jobs:
       - name: Build binaries using bun
         run: |
           mkdir -p build/binaries
-          for TARGET in linux-x64 linux-arm64 windows-x64 darwin-x64 darwin-arm64 linux-x64-musl linux-arm64-musl; do
+          for TARGET in linux-x64 linux-arm64 windows-x64 darwin-x64 darwin-arm64; do
             bun build ./build/src/cli.js \
               --compile \
               --minify \
               --sourcemap \
               --target bun-$TARGET \
               --outfile build/binaries/linkinator-$TARGET
           done
-      - run: npx semantic-release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - run: ls -alh build/binaries
+      - name: Upload Linux binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: binaries-linux
+          retention-days: 3
+          path: |
+            build/binaries/linkinator-linux-x64
+            build/binaries/linkinator-linux-arm64
+      - name: Upload Windows binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: binaries-windows
+          retention-days: 3
+          path: |
+            build/binaries/linkinator-windows-x64.exe
+      - name: Upload unsigned macOS binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: binaries-macos-unsigned
+          retention-days: 3
+          path: |
+            build/binaries/linkinator-darwin-x64
+            build/binaries/linkinator-darwin-arm64
+  sign:
+    # if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: macos-14
+    needs: [build]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download unsigned macOS binaries
+        uses: actions/download-artifact@v5
+        with:
+          name: binaries-macos-unsigned
+          path: binaries
+      - run: ls -alh binaries
+      - name: Import Apple Developer ID certificate
+        uses: apple-actions/import-codesign-certs@95e84a1a18f2bdbc5c6ab9b7f4429372e4b13a8b # v5.0.3
+        with:
+          p12-file-base64: ${{ secrets.APPLE_CERT_DATA }}
+          p12-password: ${{ secrets.APPLE_CERT_PASSWORD }}
+      - name: Sign macOS binaries
+        run: |
+          codesign --deep --force --sign "${{ secrets.APPLE_TEAM_ID }}" --entitlements ci/entitlements.plist ./binaries/linkinator-darwin-x64
+          codesign --deep --force --sign "${{ secrets.APPLE_TEAM_ID }}" --entitlements ci/entitlements.plist ./binaries/linkinator-darwin-arm64
+      # - name: Sign macOS x64 binary
+      #   uses: lando/code-sign-action@a5703d3b5486ada6e8efd08912110f8756e873e8 # v3.0.0
+      #   with:
+      #     file: binaries/linkinator-darwin-x64
+      #     apple-team-id: ${{ secrets.APPLE_TEAM_ID }}
+      #     certificate-data: ${{ secrets.APPLE_CERT_DATA }}
+      #     certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }}
+      #     options: --options runtime --entitlements ci/entitlements.plist
+      #     # apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }}
+      #     # apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }}
+      #     # apple-notary-tool: altool
+      #     # apple-product-id: dev.lando.code-sign-action
+      # - name: Sign macOS arm64 binary
+      #   uses: lando/code-sign-action@a5703d3b5486ada6e8efd08912110f8756e873e8 # v3.0.0
+      #   with:
+      #     file: binaries/linkinator-darwin-arm64
+      #     apple-team-id: ${{ secrets.APPLE_TEAM_ID }}
+      #     certificate-data: ${{ secrets.APPLE_CERT_DATA }}
+      #     certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }}
+      #     options: --options runtime --entitlements ci/entitlements.plist
+      #     # apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }}
+      #     # apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }}
+      #     # apple-notary-tool: altool
+      #     # apple-product-id: dev.lando.code-sign-action
+      - run: ls -alh binaries
+      - name: Upload signed macOS binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: binaries-macos
+          retention-days: 3
+          path: |
+            binaries/linkinator-darwin-x64
+            binaries/linkinator-darwin-arm64
+  release:
+    # if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    needs: [build, sign]
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE }}
+          cache: npm
+      - run: npm ci
+      - name: Download Linux binaries
+        uses: actions/download-artifact@v5
+        with:
+          name: binaries-linux
+          path: build/binaries
+      - name: Download Windows binaries
+        uses: actions/download-artifact@v5
+        with:
+          name: binaries-windows
+          path: build/binaries
+      - name: Download signed macOS binaries
+        uses: actions/download-artifact@v5
+        with:
+          name: binaries-macos
+          path: build/binaries
+      - run: ls -alh build/binaries
+      # - run: npx semantic-release
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #     NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/ci/entitlements.plist b/ci/entitlements.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>