feat(build): add macOS code signing and notarization support

- Add GitHub Actions workflow for macOS builds (x64 and arm64)
- Configure electron-builder with hardened runtime and entitlements
- Add notarization script using @electron/notarize
- Support both manual and tag-triggered releases with Apple App Store Connect API
- Add macOS entitlements plists for JIT and library validation
- Update .gitignore to preserve build/ directory entitlements

Author: aramb-dev

.github/workflows/release-mac.yml

@@ -0,0 +1,64 @@
+name: Build/release (macOS)
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: macos-latest
+
+    env:
+      APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+      APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
+      APPLE_API_ISSUER_ID: ${{ secrets.APPLE_API_ISSUER_ID }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [x64, arm64]
+
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Import macOS signing certificate
+        uses: apple-actions/import-codesign-certs@v3
+        with:
+          p12-file-base64: ${{ secrets.MAC_CERTS }}
+          p12-password: ${{ secrets.MAC_CERTS_PASSWORD }}
+
+      - name: Prepare Apple notarization key
+        if: ${{ env.APPLE_API_KEY != '' && env.APPLE_API_KEY_ID != '' && env.APPLE_API_ISSUER_ID != '' }}
+        run: |
+          printf "%s" "$APPLE_API_KEY" > "$RUNNER_TEMP/AuthKey.p8"
+          echo "APPLE_API_KEY_PATH=$RUNNER_TEMP/AuthKey.p8" >> $GITHUB_ENV
+
+      - name: Build app
+        run: bun run build
+
+      - name: Build (electron-builder)
+        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: bunx electron-builder --mac --${{ matrix.arch }} --publish never
+
+      - name: Build + publish (electron-builder)
+        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        run: bunx electron-builder --mac --${{ matrix.arch }} --publish always
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          APPLE_API_KEY_ID: ${{ env.APPLE_API_KEY_ID }}
+          APPLE_API_ISSUER_ID: ${{ env.APPLE_API_ISSUER_ID }}

.gitignore

@@ -3,6 +3,10 @@ build*
 .eggs*
 .vscode*
 
+!build/
+!build/entitlements.mac.plist
+!build/entitlements.mac.inherit.plist
+
 # Node.js
 node_modules/
 npm-debug.log*

build/entitlements.mac.inherit.plist

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+  </dict>
+</plist>

build/entitlements.mac.plist

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+  </dict>
+</plist>

package.json

@@ -31,6 +31,7 @@
     "directories": {
       "output": "release"
     },
+    "afterSign": "scripts/notarize.js",
     "files": [
       "src/main.js",
       "dist/**/*",
@@ -41,6 +42,10 @@
     "mac": {
       "category": "public.app-category.utilities",
       "icon": "icon.icns",
+      "hardenedRuntime": true,
+      "entitlements": "build/entitlements.mac.plist",
+      "entitlementsInherit": "build/entitlements.mac.inherit.plist",
+      "gatekeeperAssess": false,
       "target": [
         {
           "target": "dmg",
@@ -71,6 +76,7 @@
     "@babel/core": "^7.28.4",
     "@babel/preset-env": "^7.28.5",
     "@babel/preset-react": "^7.27.1",
+    "@electron/notarize": "^2.5.0",
     "@electron-forge/cli": "^7.9.0",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.0",

scripts/notarize.js

@@ -0,0 +1,25 @@
+const path = require('path');
+const { notarize } = require('@electron/notarize');
+
+module.exports = async function notarizing(context) {
+  if (process.platform !== 'darwin') return;
+
+  const appleApiKeyPath = process.env.APPLE_API_KEY_PATH;
+  const appleApiKeyId = process.env.APPLE_API_KEY_ID;
+  const appleApiIssuer = process.env.APPLE_API_ISSUER_ID;
+
+  if (!appleApiKeyPath || !appleApiKeyId || !appleApiIssuer) {
+    return;
+  }
+
+  const { appOutDir, packager } = context;
+  const appName = packager.appInfo.productFilename;
+  const appPath = path.join(appOutDir, `${appName}.app`);
+
+  await notarize({
+    appPath,
+    appleApiKey: appleApiKeyPath,
+    appleApiKeyId,
+    appleApiIssuer,
+  });
+};