feat: macOS 双架构分离构建 — x64 只签名，arm64 签名+条件公证

7418 · claude · 7418 · commit db86644c7e35 · 2026-03-03T11:35:50.000+08:00
CI:
- 拆分为 x64 和 arm64 两个独立构建步骤
- x64: 签名但不公证（-c.mac.notarize=false），timeout 15min
- arm64: 签名 + 按版本号条件公证（vX.Y.0 公证，vX.Y.Z 只签名），timeout 35min
- 先跑 x64，stash 产物后跑 arm64，确保 latest-mac.yml 来自 arm64

Electron:
- electron/main.ts: darwin+x64 跳过 initAutoUpdater
- electron/preload.ts: darwin+x64 不暴露 updater bridge
- 前端 AppShell 已有运行时检测（!!window.electronAPI?.updater），
  x64 自动 fallback 到 browser 模式更新检查

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -14,7 +14,7 @@ on:
           - macos
           - linux
       mac_notarize:
-        description: "mac notarization mode"
+        description: "mac notarization mode (arm64 only)"
         required: false
         default: "auto"
         type: choice
@@ -88,7 +88,7 @@ jobs:
           printf '%s' "$MAC_CERT_P12_BASE64" | tr -d '\r\n' | base64 --decode > /tmp/cert.p12
           openssl pkcs12 -in /tmp/cert.p12 -passin pass:"$MAC_CERT_PASSWORD" -noout
 
-      - name: Resolve mac notarization strategy
+      - name: Resolve arm64 notarization strategy
         id: mac_mode
         shell: bash
         env:
@@ -115,7 +115,7 @@ jobs:
 
           echo "mode=$MODE" >> "$GITHUB_OUTPUT"
           echo "notarize=$NOTARIZE" >> "$GITHUB_OUTPUT"
-          echo "Resolved mac notarization: $NOTARIZE (mode=$MODE, ref=$REF_NAME)"
+          echo "Resolved arm64 notarization: $NOTARIZE (mode=$MODE, ref=$REF_NAME)"
 
       - name: Validate notarization credentials
         if: ${{ env.HAS_CERT == 'true' && steps.mac_mode.outputs.notarize == 'true' }}
@@ -130,7 +130,32 @@ jobs:
             --password "$APPLE_APP_SPECIFIC_PASSWORD" \
             --team-id "$APPLE_TEAM_ID" >/dev/null
 
-      - name: Package for macOS (x64 + arm64)
+      # ── x64: sign only, no notarization ──────────────────────────────────
+      - name: Package for macOS (x64, sign only)
+        timeout-minutes: 15
+        env:
+          CSC_LINK: ${{ env.HAS_CERT == 'true' && '/tmp/cert.p12' || '' }}
+          CSC_KEY_PASSWORD: ${{ secrets.MAC_CERT_PASSWORD }}
+        run: |
+          set -euo pipefail
+          for i in 1 2 3; do
+            echo "electron-builder x64 attempt $i/3 (notarize=false)"
+            if npx electron-builder --mac --x64 --config electron-builder.yml -c.mac.notarize=false --publish never; then
+              exit 0
+            fi
+            if [ "$i" -lt 3 ]; then sleep $((i * 30)); fi
+          done
+          exit 1
+
+      # Move x64 artifacts aside so arm64 build produces clean latest-mac.yml
+      - name: Stash x64 artifacts
+        run: |
+          mkdir -p release/x64-stash
+          mv release/*.dmg release/*.zip release/*.blockmap release/x64-stash/ 2>/dev/null || true
+          rm -f release/latest-mac.yml
+
+      # ── arm64: sign + conditional notarization ───────────────────────────
+      - name: Package for macOS (arm64)
         timeout-minutes: 35
         env:
           CSC_LINK: ${{ env.HAS_CERT == 'true' && '/tmp/cert.p12' || '' }}
@@ -148,16 +173,18 @@ jobs:
           fi
 
           for i in 1 2 3; do
-            echo "electron-builder attempt $i/3 (notarize=${{ steps.mac_mode.outputs.notarize }})"
-            if npx electron-builder --mac --config electron-builder.yml "${EXTRA_ARGS[@]}" --publish never; then
+            echo "electron-builder arm64 attempt $i/3 (notarize=${{ steps.mac_mode.outputs.notarize }})"
+            if npx electron-builder --mac --arm64 --config electron-builder.yml "${EXTRA_ARGS[@]}" --publish never; then
               exit 0
             fi
-            if [ "$i" -lt 3 ]; then
-              sleep $((i * 60))
-            fi
+            if [ "$i" -lt 3 ]; then sleep $((i * 60)); fi
           done
           exit 1
 
+      # Restore x64 artifacts alongside arm64 output
+      - name: Restore x64 artifacts
+        run: mv release/x64-stash/* release/ && rmdir release/x64-stash
+
       - name: Verify code signature
         if: ${{ env.HAS_CERT == 'true' }}
         run: |
@@ -206,7 +233,9 @@ jobs:
       - name: Print mac release mode
         run: |
           echo "mac_notarize_mode=${{ steps.mac_mode.outputs.mode }}"
-          echo "mac_notarize=${{ steps.mac_mode.outputs.notarize }}"
+          echo "arm64_notarize=${{ steps.mac_mode.outputs.notarize }}"
+          echo "x64_notarize=false (always sign-only)"
+          echo "latest-mac.yml comes from arm64 build"
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
diff --git a/electron/main.ts b/electron/main.ts
@@ -938,8 +938,10 @@ app.whenReady().then(async () => {
       autoStartReq.end();
     }
 
-    // Initialize auto-updater in packaged mode only
-    if (!isDev && mainWindow) {
+    // Initialize auto-updater in packaged mode only.
+    // Disabled on macOS x64 (Intel) — those users get browser-mode update check.
+    const skipNativeUpdater = process.platform === 'darwin' && process.arch === 'x64';
+    if (!isDev && mainWindow && !skipNativeUpdater) {
       initAutoUpdater(mainWindow);
     }
   } catch (err) {
diff --git a/electron/preload.ts b/electron/preload.ts
@@ -28,14 +28,18 @@ contextBridge.exposeInMainWorld('electronAPI', {
   bridge: {
     isActive: () => ipcRenderer.invoke('bridge:is-active'),
   },
-  updater: {
-    checkForUpdates: () => ipcRenderer.invoke('updater:check'),
-    downloadUpdate: () => ipcRenderer.invoke('updater:download'),
-    quitAndInstall: () => ipcRenderer.invoke('updater:quit-and-install'),
-    onStatus: (callback: (data: unknown) => void) => {
-      const listener = (_event: unknown, data: unknown) => callback(data);
-      ipcRenderer.on('updater:status', listener);
-      return () => { ipcRenderer.removeListener('updater:status', listener); };
+  // Native updater: disabled on macOS x64 (Intel) — those users get browser-mode
+  // update check (download link to GitHub Releases) instead.
+  ...(process.platform === 'darwin' && process.arch === 'x64' ? {} : {
+    updater: {
+      checkForUpdates: () => ipcRenderer.invoke('updater:check'),
+      downloadUpdate: () => ipcRenderer.invoke('updater:download'),
+      quitAndInstall: () => ipcRenderer.invoke('updater:quit-and-install'),
+      onStatus: (callback: (data: unknown) => void) => {
+        const listener = (_event: unknown, data: unknown) => callback(data);
+        ipcRenderer.on('updater:status', listener);
+        return () => { ipcRenderer.removeListener('updater:status', listener); };
+      },
     },
-  },
+  }),
 });

Original file line number	Diff line number	Diff line change
`@@ -938,8 +938,10 @@ app.whenReady().then(async () => {`
`938`	`938`	`autoStartReq.end();`
`939`	`939`	`}`
`940`	`940`
`941`		`- // Initialize auto-updater in packaged mode only`
`942`		`- if (!isDev && mainWindow) {`
	`941`	`+ // Initialize auto-updater in packaged mode only.`
	`942`	`+ // Disabled on macOS x64 (Intel) — those users get browser-mode update check.`
	`943`	`+ const skipNativeUpdater = process.platform === 'darwin' && process.arch === 'x64';`
	`944`	`+ if (!isDev && mainWindow && !skipNativeUpdater) {`
`943`	`945`	`initAutoUpdater(mainWindow);`
`944`	`946`	`}`
`945`	`947`	`} catch (err) {`