Add signed release pipeline with GitHub Actions

Entitlements for app sandbox, file access, and networking.
GitHub Actions workflow builds a universal binary, signs with
Developer ID, notarizes with Apple, and publishes DMG + ZIP
to GitHub Releases on version tags.

Author: marckohlbrugge

.github/workflows/release.yml

@@ -0,0 +1,140 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  build-and-release:
+    name: Build, sign, notarize, and release
+    runs-on: macos-15
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Extract version from tag
+        id: version
+        run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
+
+      - name: Import signing certificate
+        env:
+          CERTIFICATE_BASE64: ${{ secrets.DEVELOPER_ID_CERTIFICATE_BASE64 }}
+          CERTIFICATE_PASSWORD: ${{ secrets.DEVELOPER_ID_CERTIFICATE_PASSWORD }}
+        run: |
+          KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain-db"
+          KEYCHAIN_PASSWORD="$(openssl rand -base64 32)"
+          echo "::add-mask::$KEYCHAIN_PASSWORD"
+
+          # Create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          # Import certificate
+          CERT_PATH="$RUNNER_TEMP/certificate.p12"
+          echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"
+          security import "$CERT_PATH" \
+            -k "$KEYCHAIN_PATH" \
+            -P "$CERTIFICATE_PASSWORD" \
+            -T /usr/bin/codesign
+          rm -f "$CERT_PATH"
+
+          # Allow codesign to access the keychain
+          security set-key-partition-list \
+            -S apple-tool:,apple:,codesign: \
+            -s -k "$KEYCHAIN_PASSWORD" \
+            "$KEYCHAIN_PATH"
+
+          # Add to search list
+          EXISTING_KEYCHAINS="$(security list-keychains -d user | tr -d '"' | tr '\n' ' ')"
+          security list-keychains -d user -s "$KEYCHAIN_PATH" $EXISTING_KEYCHAINS
+
+      - name: Build
+        run: swift build -c release --arch arm64 --arch x86_64
+
+      - name: Prepare app bundle
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          APP_BUNDLE=".build/Reading List.app"
+          PLIST="$APP_BUNDLE/Contents/Info.plist"
+
+          # Set version
+          /usr/libexec/PlistBuddy -c "Set :CFBundleShortVersionString $VERSION" "$PLIST"
+          /usr/libexec/PlistBuddy -c "Set :CFBundleVersion $(date +%Y%m%d%H%M%S)" "$PLIST"
+
+      - name: Sign app
+        env:
+          DEVELOPER_ID_APPLICATION: ${{ secrets.DEVELOPER_ID_APPLICATION }}
+        run: |
+          codesign --force \
+            --sign "$DEVELOPER_ID_APPLICATION" \
+            --entitlements Entitlements.plist \
+            --options runtime \
+            --timestamp \
+            ".build/Reading List.app"
+
+          codesign --verify --strict ".build/Reading List.app"
+
+      - name: Notarize app
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          TEAM_ID: ${{ secrets.TEAM_ID }}
+        run: |
+          ditto -c -k --keepParent ".build/Reading List.app" "ReadingList-notarize.zip"
+
+          xcrun notarytool submit "ReadingList-notarize.zip" \
+            --apple-id "$APPLE_ID" \
+            --password "$APPLE_ID_PASSWORD" \
+            --team-id "$TEAM_ID" \
+            --wait
+
+          xcrun stapler staple ".build/Reading List.app"
+          rm -f "ReadingList-notarize.zip"
+
+      - name: Create DMG
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+          DEVELOPER_ID_APPLICATION: ${{ secrets.DEVELOPER_ID_APPLICATION }}
+        run: |
+          mkdir -p dmg-staging
+          cp -R ".build/Reading List.app" dmg-staging/
+          ln -s /Applications dmg-staging/Applications
+
+          hdiutil create \
+            -volname "Reading List" \
+            -srcfolder dmg-staging \
+            -ov \
+            -format UDZO \
+            "Reading-List-${VERSION}.dmg"
+
+          codesign --force --sign "$DEVELOPER_ID_APPLICATION" --timestamp "Reading-List-${VERSION}.dmg"
+          rm -rf dmg-staging
+
+      - name: Create ZIP
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          ditto -c -k --keepParent ".build/Reading List.app" "Reading-List-${VERSION}.zip"
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          gh release create "$GITHUB_REF_NAME" \
+            --title "Reading List v${VERSION}" \
+            --generate-notes \
+            "Reading-List-${VERSION}.dmg#Reading List ${VERSION} (DMG)" \
+            "Reading-List-${VERSION}.zip#Reading List ${VERSION} (ZIP)"
+
+      - name: Cleanup keychain
+        if: always()
+        run: |
+          KEYCHAIN_PATH="$RUNNER_TEMP/build.keychain-db"
+          security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true

CLAUDE.md

@@ -0,0 +1,37 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Reading List is a native macOS app (Swift 6, SwiftUI) for browsing Safari's Reading List. It reads and writes `~/Library/Safari/Bookmarks.plist` directly—there is no public Apple API for this. The app is built with Swift Package Manager (not Xcode project files).
+
+## Build & Run
+
+```bash
+swift build                          # compile
+swift run "Reading List"             # run normally
+swift run "Reading List" --demo-data # run with fake data (no plist access)
+```
+
+The product name is `"Reading List"` (with a space); the SPM target is `ReadLater`.
+
+## Architecture
+
+All source is in `Sources/ReadLater/`. Key layers:
+
+- **SafariReadingListService** — reads/writes Safari's `Bookmarks.plist` (binary plist parsing, no Apple API). Handles fetch, mark-read, mark-unread. This is a `Sendable` struct; heavy work runs on detached tasks.
+- **BookmarkAccessManager** — manages App Sandbox security-scoped bookmark access to the plist. Uses `NSOpenPanel` file picker on first launch; persists access via `UserDefaults` bookmark data.
+- **ReadingListViewModel** — `@MainActor ObservableObject` driving the UI. Holds all items, computes filtered/displayed items by folder selection, search query, and read-status filter.
+- **SmartFolderStore** — persists custom smart folders to `~/Library/Application Support/ReadLater/custom-smart-folders.json`. Seeds default folders (Recently Added, Videos, PDFs) on first run.
+- **SmartFolders** — defines `SmartFolder`, `CustomSmartFolder`, `FolderSelection`, and `AddedDateFilter`. Smart folders match items by hostname set, keyword list, and date filter.
+- **ContentView** — three-column `NavigationSplitView`: sidebar (smart lists + domain folders), item list (with pagination at 250-item pages), and web preview pane.
+- **FaviconStore** — uses Nuke/NukeUI for favicon loading via Google's favicon service, with a 100 MB disk cache.
+
+## Key Conventions
+
+- Swift 6 strict concurrency; `@MainActor` on view models and stores, `Sendable` on services and models.
+- macOS 13+ minimum deployment target.
+- Demo mode (`--demo-data` flag or `READING_LIST_DEMO=1` env var) uses `DemoReadingListData` — no file system access.
+- Read-status writes go directly to Safari's `Bookmarks.plist` (atomic write). This is the only write operation.
+- `ReadingListItem.id` is a composite of URL + dateAdded timestamp to handle duplicate URLs.

Entitlements.plist

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.files.user-selected.read-write</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+</dict>
+</plist>

README.md

@@ -8,6 +8,19 @@ Safari makes it very easy to save links for later on macOS and iOS, but there is
 
 This project is meant to be that missing macOS companion: a focused app for rediscovering your saved Safari Reading List items.
 
+## Download
+
+Download the latest version from the [GitHub Releases](../../releases/latest) page.
+
+- **Reading-List-x.x.x.dmg** — open the DMG and drag "Reading List" to your Applications folder.
+- **Reading-List-x.x.x.zip** — unzip and move "Reading List.app" to your Applications folder.
+
+The app is signed and notarized with Apple, so macOS will allow it to run without security warnings.
+
+**Requirements:** macOS 13 (Ventura) or later.
+
+On first launch, the app asks you to select your `~/Library/Safari/Bookmarks.plist` file. You only need to do this once.
+
 ## Design inspiration
 
 The UI is partly inspired by NetNewsWire and follows traditional macOS design patterns with native controls.
@@ -64,7 +77,7 @@ swift run "Reading List" --demo-data
 
 In demo mode, the app does not read from or write to Safari's `Bookmarks.plist`.
 
-## Build and run
+## Build from source
 
 1. Open this folder in Xcode and run the `Reading List` executable product.
 2. Or run from Terminal:
@@ -81,8 +94,7 @@ sudo xcodebuild -license
 
 ## Project status
 
-This is currently a fast-moving source project.  
-I may publish a packaged version later (for example App Store or direct download), but for now the intended way to use it is to build from source yourself.
+This app is under active development and should be considered beta software.
 
 ## Contributions and support
 

RELEASING.md

@@ -0,0 +1,92 @@
+# Releasing Reading List
+
+## One-time setup
+
+### 1. Create a Developer ID Application certificate
+
+You need a **Developer ID Application** certificate (not a regular development cert) to sign apps for distribution outside the Mac App Store.
+
+1. Open **Keychain Access** on your Mac.
+2. Go to **Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority**.
+3. Fill in your email, select "Saved to disk", and save the CSR file.
+4. Go to [Apple Developer > Certificates](https://developer.apple.com/account/resources/certificates/list).
+5. Click **+**, select **Developer ID Application**, upload your CSR.
+6. Download and double-click the certificate to install it in your keychain.
+
+### 2. Export the certificate as .p12
+
+1. Open **Keychain Access**.
+2. Find your **Developer ID Application** certificate (under "My Certificates").
+3. Right-click > **Export** as `.p12` format. Set a strong password.
+4. Base64-encode it: `base64 -i certificate.p12 | pbcopy`
+
+### 3. Create an app-specific password
+
+1. Go to [appleid.apple.com](https://appleid.apple.com) > Sign-In and Security > App-Specific Passwords.
+2. Generate one named "Reading List Notarization".
+
+### 4. Find your Team ID
+
+1. Go to [Apple Developer > Membership Details](https://developer.apple.com/account#MembershipDetailsCard).
+2. Copy your **Team ID** (10-character alphanumeric string).
+
+### 5. Find your signing identity name
+
+Run this in Terminal:
+
+```bash
+security find-identity -v -p codesigning | grep "Developer ID Application"
+```
+
+Copy the full identity string, e.g.: `Developer ID Application: Your Name (TEAMID123)`
+
+### 6. Add GitHub repository secrets
+
+Go to your repo's **Settings > Secrets and variables > Actions** and add:
+
+| Secret | Value |
+|---|---|
+| `DEVELOPER_ID_CERTIFICATE_BASE64` | Base64-encoded .p12 file contents |
+| `DEVELOPER_ID_CERTIFICATE_PASSWORD` | Password you set when exporting the .p12 |
+| `DEVELOPER_ID_APPLICATION` | Full signing identity, e.g. `Developer ID Application: Your Name (TEAM123)` |
+| `APPLE_ID` | Your Apple ID email |
+| `APPLE_ID_PASSWORD` | App-specific password from step 3 |
+| `TEAM_ID` | Your 10-character Team ID |
+
+## Creating a release
+
+Tag a new version and push:
+
+```bash
+git tag v1.0.0
+git push origin v1.0.0
+```
+
+This triggers the GitHub Actions workflow which will:
+
+1. Build a universal binary (ARM + Intel)
+2. Sign with your Developer ID certificate
+3. Notarize with Apple
+4. Create a DMG and ZIP
+5. Publish a GitHub Release with both artifacts
+
+## Building locally (optional)
+
+To build a signed and notarized release on your own machine:
+
+```bash
+export DEVELOPER_ID_APPLICATION="Developer ID Application: Your Name (TEAM123)"
+export APPLE_ID="your@email.com"
+export APPLE_ID_PASSWORD="xxxx-xxxx-xxxx-xxxx"
+export TEAM_ID="TEAM123"
+
+./scripts/build-release.sh
+```
+
+Artifacts are written to `.build/Reading-List-<version>.dmg` and `.build/Reading-List-<version>.zip`.
+
+## What users get
+
+Users download the DMG, open it, and drag "Reading List" to their Applications folder. Because the app is signed and notarized, macOS Gatekeeper will allow it to run without security warnings.
+
+On first launch, the app asks the user to select their `~/Library/Safari/Bookmarks.plist` file via a standard file picker (required for sandbox access).