feat: add macOS code signing and notarization to release workflow (#3)

Adds signing env vars (CSC_LINK, APPLE_ID, etc.) and enables notarization
in electron-builder config. Requires repo secrets to be configured.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: dbfx

.github/workflows/release.yml

@@ -93,6 +93,11 @@ jobs:
           AZURE_TENANT_ID: ${{ runner.os == 'Windows' && secrets.AZURE_TENANT_ID || '' }}
           AZURE_CLIENT_ID: ${{ runner.os == 'Windows' && secrets.AZURE_CLIENT_ID || '' }}
           AZURE_CLIENT_SECRET: ${{ runner.os == 'Windows' && secrets.AZURE_CLIENT_SECRET || '' }}
+          CSC_LINK: ${{ runner.os == 'macOS' && secrets.MAC_CERTIFICATE_P12 || '' }}
+          CSC_KEY_PASSWORD: ${{ runner.os == 'macOS' && secrets.MAC_CERTIFICATE_PASSWORD || '' }}
+          APPLE_ID: ${{ runner.os == 'macOS' && secrets.APPLE_ID || '' }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ runner.os == 'macOS' && secrets.APPLE_APP_SPECIFIC_PASSWORD || '' }}
+          APPLE_TEAM_ID: ${{ runner.os == 'macOS' && secrets.APPLE_TEAM_ID || '' }}
         run: |
           npx electron-vite build
           if [ "$RUNNER_OS" = "Windows" ]; then

electron-builder.yml

@@ -42,7 +42,10 @@ mac:
         - arm64
   icon: resources/icon.png
   category: public.app-categories.utilities
-  identity: null
+  hardenedRuntime: true
+  entitlements: resources/entitlements.mac.plist
+  entitlementsInherit: resources/entitlements.mac.plist
+  notarize: true
   artifactName: Kudu-${version}-${arch}.${ext}
 
 linux: