+1

AGENTS.md

reviewed

··· 114 114 - Automatically commit your changes and your changes only. Do not use `git add .` 115 115 - Before you go on your task, check the current git branch name, if it's something generic like an animal name, name it accordingly. Do not do this for main branch 116 116 - After implementing an execplan, always submit a PR if you're not in the main branch 117 117 + - Fork releases must be notarized. Never publish non-notarized releases (`ENABLE_NOTARIZATION=0` is forbidden). 117 118 118 119 ## Submodules 119 120

+2 -2

doc-onevcat/fork-sync-and-release.md

reviewed

··· 80 80 4) Zip app bundle. 81 81 5) Create tag and upload zip to your fork GitHub Release page. 82 82 83 83 - If you want the old behavior (no notarization), set `ENABLE_NOTARIZATION=0`. 83 83 + Non-notarized publishing is intentionally disabled for this fork. 84 84 85 85 ## Helper Scripts 86 86 ··· 89 89 - Default target repo: auto-detected from `origin` 90 90 - Override target repo: `GH_REPO=owner/repo` 91 91 - Release create fallback: if `gh release create` fails (for example token scope mismatch), script falls back to `gh api` and then uploads assets 92 92 - - Notarization: enabled by default (`ENABLE_NOTARIZATION=1`) 92 92 + - Notarization: mandatory (the script exits if `ENABLE_NOTARIZATION!=1`) 93 93 - Default keychain profile name: `supacode-notary` (override with `APPLE_NOTARY_KEYCHAIN_PROFILE`) 94 94 95 95 ### Example

+23 -20

doc-onevcat/scripts/release-to-fork.sh

reviewed

··· 169 169 SHORT_SHA="$(git rev-parse --short HEAD)" 170 170 DEFAULT_TAG="onevcat-v$(date +%Y.%m.%d)-${SHORT_SHA}" 171 171 TAG="${1:-$DEFAULT_TAG}" 172 172 - ENABLE_NOTARIZATION="${ENABLE_NOTARIZATION:-1}" 173 172 KEYCHAIN_PROFILE="${APPLE_NOTARY_KEYCHAIN_PROFILE:-supacode-notary}" 174 173 SIGNING_IDENTITY="${APPLE_SIGNING_IDENTITY:-}" 175 174 TEAM_ID_INPUT="${APPLE_TEAM_ID:-}" 176 175 APPLE_ID_INPUT="${APPLE_ID:-}" 177 176 APPLE_PASSWORD_INPUT="${APPLE_PASSWORD:-}" 177 177 + 178 178 + if [[ "${ENABLE_NOTARIZATION:-1}" != "1" ]]; then 179 179 + echo "error: publishing non-notarized releases is forbidden for this fork" 180 180 + echo "error: remove ENABLE_NOTARIZATION=0 and provide notarization credentials" 181 181 + exit 1 182 182 + fi 183 183 + ENABLE_NOTARIZATION="1" 178 184 179 185 echo "[release] repository: ${REPO}" 180 186 echo "[release] tag: ${TAG}" ··· 203 209 ZIP_PATH="build/${PRODUCT_NAME%.app}-${TAG}.app.zip" 204 210 NOTES_PATH="build/release-notes-${TAG}.md" 205 211 SUBMISSION_ZIP="build/notary-submit-${TAG}.app.zip" 206 206 - BUILD_TYPE="Debug (unsigned)" 212 212 + BUILD_TYPE="Debug (Developer ID signed + notarized)" 207 213 208 208 - if [[ "${ENABLE_NOTARIZATION}" == "1" ]]; then 209 209 - if ! command -v xcrun >/dev/null 2>&1; then 210 210 - echo "error: xcrun is required for notarization" 211 211 - exit 1 212 212 - fi 213 213 - if ! command -v codesign >/dev/null 2>&1; then 214 214 - echo "error: codesign is required for notarization" 215 215 - exit 1 216 216 - fi 217 217 - if [[ -z "$SIGNING_IDENTITY" ]]; then 218 218 - SIGNING_IDENTITY="$(default_signing_identity || true)" 219 219 - fi 220 220 - if [[ -z "$SIGNING_IDENTITY" ]]; then 221 221 - echo "error: APPLE_SIGNING_IDENTITY is not set and no Developer ID Application identity was found" 222 222 - exit 1 223 223 - fi 224 224 - sign_and_notarize_app "${APP_PATH}" "${SUBMISSION_ZIP}" 225 225 - BUILD_TYPE="Debug (Developer ID signed + notarized)" 214 214 + if ! command -v xcrun >/dev/null 2>&1; then 215 215 + echo "error: xcrun is required for notarization" 216 216 + exit 1 217 217 + fi 218 218 + if ! command -v codesign >/dev/null 2>&1; then 219 219 + echo "error: codesign is required for notarization" 220 220 + exit 1 221 221 + fi 222 222 + if [[ -z "$SIGNING_IDENTITY" ]]; then 223 223 + SIGNING_IDENTITY="$(default_signing_identity || true)" 224 224 + fi 225 225 + if [[ -z "$SIGNING_IDENTITY" ]]; then 226 226 + echo "error: APPLE_SIGNING_IDENTITY is not set and no Developer ID Application identity was found" 227 227 + exit 1 226 228 fi 229 229 + sign_and_notarize_app "${APP_PATH}" "${SUBMISSION_ZIP}" 227 230 228 231 echo "[release] package ${APP_PATH} -> ${ZIP_PATH}" 229 232 ditto -c -k --sequesterRsrc --keepParent "${APP_PATH}" "${ZIP_PATH}"