fix: macos code signing

Signed-off-by: Adam Setch <[email protected]>

Author: setchy

.github/workflows/ci.yml

@@ -4,15 +4,20 @@ on:
   push:
     branches:
       - main
-      - release/v**
   pull_request:
-    branches-ignore:
-      - release/v*.*.* # macOS code-signing only works on `push` events, not `pull_request` events
+    branches:
+      - main
 
 jobs:
+  prepare:
+    name: Prepare
+    runs-on: ubuntu-latest
+    if: ${{ !startsWith(github.head_ref, 'release/v') }}
+
   lint:
     name: Lint App
     uses: ./.github/workflows/lint.yml
+    needs: prepare
 
   tests:
     name: Tests
@@ -23,14 +28,6 @@ jobs:
     name: Build
     uses: ./.github/workflows/build.yml
     needs: tests
-    if: ${{ !startsWith(github.head_ref, 'release/v') }}
 
-  release:
-    name: Release
-    uses: ./.github/workflows/release.yml
-    needs: tests
-    if: ${{ startsWith(github.head_ref, 'release/v') }}
-    permissions: 
-      contents: write
 
 

.github/workflows/publish.yml

@@ -0,0 +1,93 @@
+name: Publish
+
+on: 
+  workflow_call:
+  workflow_dispatch: # For manually running release process to verify code-signing of artifacts
+
+permissions:
+  contents: write
+
+jobs:
+  release-macos:
+    name: Publish macOS (electron-builder)
+    runs-on: macos-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v3
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'pnpm'
+      - run: pnpm install
+      - run: pnpm build
+        env:
+          OAUTH_CLIENT_ID: ${{ secrets.oauth_client_id }}
+          OAUTH_CLIENT_SECRET: ${{ secrets.oauth_client_secret }}
+      - run: pnpm prepare:remove-source-maps
+      - run: pnpm package:macos --publish onTagOrDraft
+        env:
+          APPLEID_USERNAME: ${{ secrets.appleid_username }}
+          APPLEID_PASSWORD: ${{ secrets.appleid_password }}
+          APPLEID_TEAM_ID: ${{ secrets.appleid_teamid }}
+          CSC_LINK: ${{ secrets.mac_certs }}
+          CSC_KEY_PASSWORD: ${{ secrets.mac_certs_password }}
+          GH_TOKEN: ${{ secrets.github_token }}
+          NOTARIZE: true
+      - uses: actions/upload-artifact@v4
+        with:
+          name: Gitify-release-mac
+          path: dist/
+          overwrite: true
+
+  release-windows:
+    name: Publish Windows (electron-builder)
+    runs-on: windows-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v3
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'pnpm'
+      - run: pnpm install
+      - run: pnpm build
+        env:
+          OAUTH_CLIENT_ID: ${{ secrets.oauth_client_id }}
+          OAUTH_CLIENT_SECRET: ${{ secrets.oauth_client_secret }}
+      - run: pnpm prepare:remove-source-maps
+      - run: pnpm package:win --publish onTagOrDraft
+        env:
+          GH_TOKEN: ${{ secrets.github_token }}
+      - uses: actions/upload-artifact@v4
+        with:
+          name: Gitify-release-win
+          path: dist/
+          overwrite: true
+
+  release-linux:
+    name: Publish Linux (electron-builder)
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v3
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'pnpm'
+      - run: pnpm install
+      - run: pnpm build
+        env:
+          OAUTH_CLIENT_ID: ${{ secrets.oauth_client_id }}
+          OAUTH_CLIENT_SECRET: ${{ secrets.oauth_client_secret }}
+      - run: pnpm prepare:remove-source-maps
+      - run: pnpm package:linux --publish onTagOrDraft
+        env:
+          GH_TOKEN: ${{ secrets.github_token }}
+      - uses: actions/upload-artifact@v4
+        with:
+          name: Gitify-release-linux
+          path: dist/
+          overwrite: true

.github/workflows/release.yml

@@ -1,93 +1,23 @@
 name: Release
 
-on: 
-  workflow_call:
-  workflow_dispatch: # For manually running release process to verify code-signing of artifacts
-
-permissions:
-  contents: write
+on:
+  push:
+    branches:
+      - release/v*.*.*
 
 jobs:
-  release-macos:
-    name: Publish macOS (electron-builder)
-    runs-on: macos-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v3
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'pnpm'
-      - run: pnpm install
-      - run: pnpm build
-        env:
-          OAUTH_CLIENT_ID: ${{ secrets.oauth_client_id }}
-          OAUTH_CLIENT_SECRET: ${{ secrets.oauth_client_secret }}
-      - run: pnpm prepare:remove-source-maps
-      - run: pnpm package:macos --publish onTagOrDraft
-        env:
-          APPLEID_USERNAME: ${{ secrets.appleid_username }}
-          APPLEID_PASSWORD: ${{ secrets.appleid_password }}
-          APPLEID_TEAM_ID: ${{ secrets.appleid_teamid }}
-          CSC_LINK: ${{ secrets.mac_certs }}
-          CSC_KEY_PASSWORD: ${{ secrets.mac_certs_password }}
-          GH_TOKEN: ${{ secrets.github_token }}
-          NOTARIZE: true
-      - uses: actions/upload-artifact@v4
-        with:
-          name: Gitify-release-mac
-          path: dist/
-          overwrite: true
-
-  release-windows:
-    name: Publish Windows (electron-builder)
-    runs-on: windows-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v3
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'pnpm'
-      - run: pnpm install
-      - run: pnpm build
-        env:
-          OAUTH_CLIENT_ID: ${{ secrets.oauth_client_id }}
-          OAUTH_CLIENT_SECRET: ${{ secrets.oauth_client_secret }}
-      - run: pnpm prepare:remove-source-maps
-      - run: pnpm package:win --publish onTagOrDraft
-        env:
-          GH_TOKEN: ${{ secrets.github_token }}
-      - uses: actions/upload-artifact@v4
-        with:
-          name: Gitify-release-win
-          path: dist/
-          overwrite: true
-
-  release-linux:
-    name: Publish Linux (electron-builder)
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v3
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: '.nvmrc'
-          cache: 'pnpm'
-      - run: pnpm install
-      - run: pnpm build
-        env:
-          OAUTH_CLIENT_ID: ${{ secrets.oauth_client_id }}
-          OAUTH_CLIENT_SECRET: ${{ secrets.oauth_client_secret }}
-      - run: pnpm prepare:remove-source-maps
-      - run: pnpm package:linux --publish onTagOrDraft
-        env:
-          GH_TOKEN: ${{ secrets.github_token }}
-      - uses: actions/upload-artifact@v4
-        with:
-          name: Gitify-release-linux
-          path: dist/
-          overwrite: true
+  lint:
+    name: Lint App
+    uses: ./.github/workflows/lint.yml
+
+  tests:
+    name: Tests
+    uses: ./.github/workflows/test.yml
+    needs: lint
+
+  release:
+    name: Release
+    uses: ./.github/workflows/release.yml
+    needs: tests
+    permissions: 
+      contents: write