From 351b166acce515e9cb49f10d0971d35e18ee5688 Mon Sep 17 00:00:00 2001
From: Matt OD <matthew.od11@gmail.com>
Date: Mon, 27 Apr 2026 10:57:15 -0700
Subject: [PATCH] ci(release): add pre-notarize entitlements gate (#53)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Insert validation step between version-alignment check and tauri-action
build. Fails fast — before any macOS-runner minutes are spent on signing
or notarization — when:

- com.apple.security.app-sandbox is present (the v0.2.0/v0.2.1 foot-gun)
- any of the 3 required hardened-runtime carve-outs is missing
  (cs.allow-jit, cs.allow-unsigned-executable-memory,
  cs.disable-library-validation)

Verified locally against real plist (pass) and against 3 mutations
(sandbox added, cs.allow-jit removed, file missing) — all fail with
the expected ::error:: annotation.

Closes #53

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b92c33d..e1d4028 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -56,6 +56,29 @@ jobs:
           fi
           echo "All manifests agree on version $CARGO_V"
 
+      - name: Validate entitlements
+        shell: bash
+        run: |
+          # Pre-notarize gate. Catches release-blocker plist misconfigs BEFORE
+          # burning macOS-runner minutes on signing + notarization.
+          # Origin: v0.2.0/v0.2.1 sandbox incident (#18, #41).
+          PLIST=src-tauri/Entitlements.plist
+          if [ ! -f "$PLIST" ]; then
+            echo "::error::$PLIST not found"
+            exit 1
+          fi
+          if grep -q 'com.apple.security.app-sandbox' "$PLIST"; then
+            echo "::error::App Sandbox must not be enabled for Developer ID distribution — it breaks the auto-updater. See #18/#41."
+            exit 1
+          fi
+          for KEY in cs.allow-jit cs.allow-unsigned-executable-memory cs.disable-library-validation; do
+            if ! grep -q "com.apple.security.$KEY" "$PLIST"; then
+              echo "::error::Required hardened-runtime carve-out missing from $PLIST: com.apple.security.$KEY"
+              exit 1
+            fi
+          done
+          echo "Entitlements OK: no sandbox, all 3 hardened-runtime carve-outs present."
+
       - name: Build and Release
         id: tauri
         uses: tauri-apps/tauri-action@v0