You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Define Apple Developer Program "team ID" via repository variable
The macOS builds generated by the release workflows are notarized. The Apple Developer Program "team ID" associated with
the signing certificate is provided to the notarization tool (which refers to it as the "App Store Connect provider").
Previously, this was defined via a GitHub Actions secret. That implies it is secret information. However, the team ID is
public information that can be seen by anyone simply by looking at the notarized application (e.g., using macOS's spctl
utility), so there is need to use a secret for purposes of protecting the information.
The reason a secret was chosen when the notarization system was developed was simply that the only alternative at that
time was hardcoding the information in the workflow. Since the workflow is intended to be generally applicable even in
3rd party projects (including forks of Arduino projects), whereas the signing credentials are specific to Arduino, it is
better to define them separately from the workflow so that it can be used without modification (though unfortunately
some hardcoding of such information ended up being introduced to the workflows at at later time). Since that time,
GitHub has introduced the repository variable feature, which is intended to configure repository-specific non-secret
information. This is the appropriate mechanism for defining the team ID.
0 commit comments