1919#
2020# Repository secrets / vars:
2121# VSCE_PAT (only required when publishing simdeck-vscode)
22+ # APPLE_TEAM_ID (required when publishing simdeck)
2223#
2324# Tag scheme:
2425# <slug>-v<version> e.g. simdeck-v0.2.0
@@ -289,23 +290,37 @@ jobs:
289290 env :
290291 HAS_CERT : ${{ secrets.APPLE_CERT_P12_BASE64 != '' }}
291292 HAS_NOTARY : ${{ secrets.APPLE_NOTARY_KEY_BASE64 != '' }}
292- HAS_IDENTITY : ${{ vars.APPLE_SIGNING_IDENTITY != '' }}
293+ HAS_TEAM_ID : ${{ vars.APPLE_TEAM_ID != '' }}
294+ IS_DRY_RUN : ${{ inputs.dry-run }}
293295 run : |
294296 set -euo pipefail
295- if [[ "$HAS_CERT" == "true" && "$HAS_NOTARY" == "true" && "$HAS_IDENTITY" == "true" ]]; then
297+
298+ missing=()
299+ [[ "$HAS_CERT" == "true" ]] || missing+=("APPLE_CERT_P12_BASE64")
300+ [[ "$HAS_NOTARY" == "true" ]] || missing+=("APPLE_NOTARY_KEY_BASE64")
301+ [[ "$HAS_TEAM_ID" == "true" ]] || missing+=("APPLE_TEAM_ID")
302+
303+ if [[ "${#missing[@]}" -eq 0 ]]; then
296304 echo "enabled=true" >> "$GITHUB_OUTPUT"
297305 echo "Apple signing + notarization enabled."
306+ elif [[ "$IS_DRY_RUN" == "true" ]]; then
307+ echo "enabled=false" >> "$GITHUB_OUTPUT"
308+ echo "::warning::Apple signing secrets/vars missing for dry-run: ${missing[*]}"
298309 else
299310 echo "enabled=false" >> "$GITHUB_OUTPUT"
300- echo "::warning::Apple signing secrets/vars missing in this environment. The published binary will be UNSIGNED."
311+ echo "::error::Apple signing secrets/vars missing: ${missing[*]}"
312+ echo "Refusing to publish an unsigned SimDeck native binary."
313+ exit 1
301314 fi
302315
303316 - name : Setup signing keychain
304317 if : ${{ steps.signing.outputs.enabled == 'true' }}
318+ id : signing_keychain
305319 shell : bash
306320 env :
307321 APPLE_CERT_P12_BASE64 : ${{ secrets.APPLE_CERT_P12_BASE64 }}
308322 APPLE_CERT_P12_PASSWORD : ${{ secrets.APPLE_CERT_P12_PASSWORD }}
323+ APPLE_TEAM_ID : ${{ vars.APPLE_TEAM_ID }}
309324 run : |
310325 set -euo pipefail
311326
@@ -336,13 +351,32 @@ jobs:
336351 rm -f "$CERT_PATH"
337352
338353 echo "Signing keychain ready at $KEYCHAIN_PATH"
339- security find-identity -v -p codesigning "$KEYCHAIN_PATH"
354+ IDENTITY_REPORT="$(security find-identity -v -p codesigning "$KEYCHAIN_PATH")"
355+ echo "$IDENTITY_REPORT"
356+
357+ SIGNING_IDENTITY="$(
358+ printf '%s\n' "$IDENTITY_REPORT" |
359+ awk -v team="(${APPLE_TEAM_ID})" '
360+ $0 ~ /"Developer ID Application:/ && index($0, team) {
361+ print $2
362+ exit
363+ }
364+ '
365+ )"
366+
367+ if [[ -z "$SIGNING_IDENTITY" ]]; then
368+ echo "::error::No Developer ID Application identity for team ${APPLE_TEAM_ID} was found in the imported certificate." >&2
369+ exit 1
370+ fi
371+
372+ echo "Using Developer ID Application identity for team ${APPLE_TEAM_ID}: ${SIGNING_IDENTITY}"
373+ echo "identity=$SIGNING_IDENTITY" >> "$GITHUB_OUTPUT"
340374
341375 - name : Codesign simdeck binary
342376 if : ${{ steps.signing.outputs.enabled == 'true' }}
343377 shell : bash
344378 env :
345- APPLE_SIGNING_IDENTITY : ${{ vars.APPLE_SIGNING_IDENTITY }}
379+ APPLE_SIGNING_IDENTITY : ${{ steps.signing_keychain.outputs.identity }}
346380 run : |
347381 set -euo pipefail
348382
@@ -449,7 +483,7 @@ jobs:
449483 rm -f "$NPM_CONFIG_USERCONFIG" || true
450484 fi
451485 cd "$PKG_DIR"
452- npm publish --provenance --access public --tag "$DIST_TAG" --dry-run
486+ npm publish --ignore-scripts -- provenance --access public --tag "$DIST_TAG" --dry-run
453487
454488 - name : Publish to npm (OIDC)
455489 if : ${{ !inputs.dry-run && (steps.meta.outputs.kind == 'npm' || steps.meta.outputs.kind == 'npm-cli') }}
@@ -468,7 +502,7 @@ jobs:
468502 rm -f "$NPM_CONFIG_USERCONFIG" || true
469503 fi
470504 cd "$PKG_DIR"
471- npm publish --provenance --access public --tag "$DIST_TAG"
505+ npm publish --ignore-scripts -- provenance --access public --tag "$DIST_TAG"
472506
473507 # ---------- Publish (VS Code Marketplace) ----------
474508
0 commit comments