vana-com · callumflack · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -154,7 +154,6 @@ jobs:
       - name: Build Tauri app
         uses: tauri-apps/tauri-action@v0
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           VITE_PRIVY_APP_ID: ${{ secrets.VITE_PRIVY_APP_ID }}
           VITE_PRIVY_CLIENT_ID: ${{ secrets.VITE_PRIVY_CLIENT_ID }}
           VITE_SESSION_RELAY_URL: ${{ secrets.VITE_SESSION_RELAY_URL }}
@@ -166,11 +165,6 @@ jobs:
           APPLE_API_KEY: ${{ secrets.APPLE_ASC_API_KEY_ID }}
           APPLE_API_ISSUER: ${{ secrets.APPLE_ASC_API_KEY_ISSUER_UUID }}
         with:
-          tagName: ${{ github.ref_name }}
-          releaseName: 'DataConnect v__VERSION__'
-          releaseBody: 'See the assets to download this version and install.'
-          releaseDraft: false
-          prerelease: false
           args: --target ${{ matrix.target }}
 
       - name: Free disk space before finalization
@@ -190,14 +184,19 @@ jobs:
           df -h / || true
         shell: bash
 
-      - name: Copy native modules and finalize bundles
+      - name: Finalize bundles
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
+          TAURI_SIGNING_PRIVATE_KEY_PATH: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PATH }}
+          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
         run: |
-          set -x  # Enable verbose debugging
+          set -euo pipefail
 
-          # Copy node_modules into macOS .app bundles (preserving directory structure)
+          # Re-sign the completed macOS app and recreate the DMG from the final app.
+          # personal-server/dist/node_modules is already bundled by Tauri resources.
           if [ "${{ matrix.platform }}" = "macos-latest" ]; then
+            echo "=== Finalizing macOS bundles for ${{ matrix.target }} ==="
             # Debug: Show what's in personal-server/dist
             echo "=== Contents of personal-server/dist ==="
             ls -la personal-server/dist/ || echo "dist not found"
@@ -214,34 +213,19 @@ jobs:
                 "$node_binary"
             done
 
-            for app in src-tauri/target/${{ matrix.target }}/release/bundle/macos/*.app; do
-              [ -e "$app" ] || { echo "No .app found at $app"; continue; }
-              echo "=== Processing $app ==="
-
-              # Show current state
-              echo "Before copy - Resources contents:"
-              ls -la "$app/Contents/Resources/personal-server/dist/" || echo "personal-server/dist not in Resources"
-
-              dest="$app/Contents/Resources/personal-server/dist/node_modules"
-              mkdir -p "$dest"
-
-              # Copy with verbose output
-              if [ -d "personal-server/dist/node_modules" ]; then
-                cp -Rv personal-server/dist/node_modules/* "$dest/"
-                echo "=== After copy - node_modules contents ==="
-                ls -la "$dest/" || echo "copy failed"
-              else
-                echo "ERROR: personal-server/dist/node_modules does not exist!"
-                exit 1
-              fi
-
-              echo "Copied node_modules to $dest"
-            done
-
             # Re-sign nested binaries with their entitlements, then re-sign the .app
             for app in src-tauri/target/${{ matrix.target }}/release/bundle/macos/*.app; do
               [ -e "$app" ] || continue
 
+              echo "=== Processing $app ==="
+              app_name=$(basename "$app" .app)
+              version=$(grep '"version"' src-tauri/tauri.conf.json | head -1 | sed 's/.*: "\(.*\)".*/\1/')
+              arch=$(echo "${{ matrix.target }}" | cut -d- -f1)
+              updater_name="${app_name}_${version}_${arch}.app.tar.gz"
+              echo "Bundled resource contents:"
+              ls -la "$app/Contents/Resources/personal-server/dist/" || echo "personal-server/dist not in Resources"
+              ls -la "$app/Contents/Resources/personal-server/dist/node_modules/" || { echo "ERROR: node_modules NOT in app bundle!"; exit 1; }
+
               # Sign personal-server binary with JIT entitlements (--deep would strip them)
               ps_bin="$app/Contents/Resources/personal-server/dist/${{ matrix.ps_binary_name }}"
               if [ -f "$ps_bin" ]; then
@@ -264,6 +248,35 @@ jobs:
                 --sign "Developer ID Application: Corsali, Inc (${{ secrets.APPLE_TEAM_ID }})" \
                 "$app"
               echo "Re-signed $app"
+
+              # Notarize/staple the finalized .app before packaging the updater tarball.
+              APPLE_NOTARY_KEY_PATH="$APPLE_API_KEY_PATH" \
+              APPLE_NOTARY_KEY_ID="${{ secrets.APPLE_ASC_API_KEY_ID }}" \
+              APPLE_NOTARY_ISSUER="${{ secrets.APPLE_ASC_API_KEY_ISSUER_UUID }}" \
+              node scripts/notarize-macos-app.mjs \
+                --app "$app" \
+                --output-dir "src-tauri/target/${{ matrix.target }}/release/bundle/macos"
+
+              # Create updater artifacts from the finalized notarized .app, not the pre-finalization Tauri output.
+              if [ -n "$TAURI_SIGNING_PRIVATE_KEY" ] || [ -n "$TAURI_SIGNING_PRIVATE_KEY_PATH" ]; then
+                node scripts/build-macos-updater-artifacts.mjs \
+                  --app "$app" \
+                  --output-dir "src-tauri/target/${{ matrix.target }}/release/bundle/macos" \
+                  --artifact-name "$updater_name"
+
+                # Smoke-check the updater payload after tar packaging. This must stay a hard gate.
+                updater_smoke_dir="/tmp/updater_smoke_${arch}"
+                rm -rf "$updater_smoke_dir"
+                mkdir -p "$updater_smoke_dir"
+                tar -xzf "src-tauri/target/${{ matrix.target }}/release/bundle/macos/$updater_name" -C "$updater_smoke_dir"
+                extracted_app="$updater_smoke_dir/$(basename "$app")"
+                xcrun stapler validate "$extracted_app"
+                spctl --assess -vv "$extracted_app"
+                codesign --verify --strict "$extracted_app"
+                rm -rf "$updater_smoke_dir"
+              else
+                echo "::notice::Skipping finalized macOS updater artifact generation because no Tauri updater signing key is configured"
+              fi
             done
 
             # Recreate DMG with updated .app (including Applications symlink)
@@ -314,7 +327,7 @@ jobs:
               # Notarize the DMG using App Store Connect API key
               echo "=== Notarizing $dmg_path ==="
               if xcrun notarytool submit "$dmg_path" \
-                --key "${{ env.APPLE_API_KEY_PATH }}" \
+                --key "$APPLE_API_KEY_PATH" \
                 --key-id "${{ secrets.APPLE_ASC_API_KEY_ID }}" \
                 --issuer "${{ secrets.APPLE_ASC_API_KEY_ISSUER_UUID }}" \
                 --wait 2>&1 | tee /tmp/notarize_${arch}.log; then
@@ -328,7 +341,7 @@ jobs:
                 if [ -n "$submission_id" ]; then
                   echo "=== Fetching notarization log for $submission_id ==="
                   xcrun notarytool log "$submission_id" \
-                    --key "${{ env.APPLE_API_KEY_PATH }}" \
+                    --key "$APPLE_API_KEY_PATH" \
                     --key-id "${{ secrets.APPLE_ASC_API_KEY_ID }}" \
                     --issuer "${{ secrets.APPLE_ASC_API_KEY_ISSUER_UUID }}" || true
                 fi
@@ -378,6 +391,13 @@ jobs:
                 echo "Uploaded $(basename "$f")"
               fi
             done
+            for f in src-tauri/target/${{ matrix.target }}/release/bundle/macos/*.app.tar.gz \
+                     src-tauri/target/${{ matrix.target }}/release/bundle/macos/*.app.tar.gz.sig; do
+              if [ -f "$f" ]; then
+                gh release upload "${{ github.ref_name }}" "$f" --clobber
+                echo "Uploaded $(basename "$f")"
+              fi
+            done
           fi
 
           # Upload Linux artifacts