Merge pull request #1148 from tunjid/tj/mac-github

Set up notarization for Mac app

Author: tunjid

.github/workflows/publish.yml

@@ -93,64 +93,64 @@ jobs:
           draft: true
           allow_updates: true
 
-#  publish-mac-app:
-#    runs-on: macos-latest
-#    permissions:
-#      contents: 'write'
-#    steps:
-#      - name: Checkout Code
-#        uses: actions/checkout@v5
-#
-#      - name: Setup java
-#        uses: actions/setup-java@v5
-#        with:
-#          distribution: 'zulu'
-#          java-version: 21
-#
-#      - name: Setup Gradle
-#        uses: gradle/actions/setup-gradle@v4
-#
-#      - name: Cache KMP tooling
-#        uses: actions/cache@v4
-#        with:
-#          path: |
-#            ~/.konan
-#          key: ${{ runner.os }}-v1-${{ hashFiles('gradle/libs.versions.toml') }}
-#
-#      - name: Import signing certificate
-#        uses: apple-actions/import-codesign-certs@v2
-#        with:
-#          p12-file-base64: ${{ secrets.SIGNING_CERTIFICATE_P12_DATA_MACOS }}
-#          p12-password: ${{ secrets.SIGNING_CERTIFICATE_PASSWORD_MACOS }}
-#
-#      - name: Build release DMG
-#        env:
-#          HERON_ENDPOINT: ${{ secrets.HERON_ENDPOINT }}
-#        run: |
-#          ./gradlew packageReleaseDmg \
-#            -Pheron.versionCode=${{ github.run_number }} \
-#            -Pheron.endpoint="$HERON_ENDPOINT"
-#
-#      - name: Notarize DMG
-#        env:
-#          APPLE_ID_NOTARIZATION: ${{ secrets.APPLE_ID_NOTARIZATION }}
-#          APPSTORE_TEAM_ID: ${{ secrets.APPSTORE_TEAM_ID }}
-#          NOTARIZATION_PWD: ${{ secrets.NOTARIZATION_PWD }}
-#        run: |
-#          DMG_PATH=$(find composeApp/build/release/main-release/dmg -name "*.dmg" | head -1)
-#          xcrun notarytool submit "$DMG_PATH" \
-#            --apple-id "$APPLE_ID_NOTARIZATION" \
-#            --password "$NOTARIZATION_PWD" \
-#            --team-id "$APPSTORE_TEAM_ID" \
-#            --wait
-#          xcrun stapler staple "$DMG_PATH"
-#          echo "DMG_PATH=$DMG_PATH" >> $GITHUB_ENV
-#
-#      - name: Upload to GitHub releases
-#        uses: softprops/action-gh-release@v2
-#        with:
-#          tag_name: v${{ github.run_number }}
-#          name: Heron v${{ github.run_number }}
-#          files: ${{ env.DMG_PATH }}
-#          draft: true
-#          allow_updates: true
+  publish-mac-app:
+    runs-on: macos-latest
+    permissions:
+      contents: 'write'
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v5
+
+      - name: Setup java
+        uses: actions/setup-java@v5
+        with:
+          distribution: 'zulu'
+          java-version: 21
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v4
+
+      - name: Cache KMP tooling
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.konan
+          key: ${{ runner.os }}-v1-${{ hashFiles('gradle/libs.versions.toml') }}
+
+      - name: Import signing certificate
+        uses: apple-actions/import-codesign-certs@v2
+        with:
+          p12-file-base64: ${{ secrets.MACOS_SIGNING_CERTIFICATE_P12_DATA }}
+          p12-password: ${{ secrets.MACOS_SIGNING_CERTIFICATE_PASSWORD }}
+
+      - name: Build and sign release DMG
+        env:
+          HERON_ENDPOINT: ${{ secrets.HERON_ENDPOINT }}
+        run: |
+          ./gradlew packageReleaseDmg \
+            -Pheron.versionCode=${{ github.run_number }} \
+            -Pheron.endpoint="$HERON_ENDPOINT" \
+            -Pheron.macOS.signing.identity="${{ secrets.MACOS_SIGNING_IDENTITY }}"
+
+      - name: Notarize and staple DMG
+        env:
+          MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
+          MACOS_NOTARIZATION_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PASSWORD }}
+          MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
+        run: |
+          DMG_PATH=$(find composeApp/build/release/main-release/dmg -name "*.dmg" | head -1)
+          xcrun notarytool submit "$DMG_PATH" \
+            --apple-id "$MACOS_NOTARIZATION_APPLE_ID" \
+            --password "$MACOS_NOTARIZATION_PASSWORD" \
+            --team-id "$MACOS_NOTARIZATION_TEAM_ID" \
+            --wait
+          xcrun stapler staple "$DMG_PATH"
+
+      - name: Upload to GitHub releases
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: v${{ github.run_number }}
+          name: Heron v${{ github.run_number }}
+          files: composeApp/build/release/main-release/dmg/*.dmg
+          draft: true
+          allow_updates: true

README.md

@@ -117,3 +117,63 @@ persisted across app restarts.
         * All subtypes of `Action.Navigation` typically share the same key.
         * All subtypes of pagination actions, also share the same key and are processed with
           the [Tiling library](https://github.com/tunjid/Tiler).
+
+## Building
+
+### Gradle Properties
+
+The following properties can be set in `~/.gradle/gradle.properties` or passed via `-P` flags.
+None are required for basic development builds.
+
+| Property | Description |
+|---|---|
+| `heron.versionCode` | Integer version code. Managed by CI via `github.run_number`. |
+| `heron.endpoint` | Backend endpoint URL for the app. |
+| `heron.isPlayStore` | Set to `true` when building for Play Store distribution. |
+| `heron.releaseBranch` | Branch prefix (`bugfix/`, `feature/`, `release/`) controlling version increments. |
+| `heron.macOS.signing.identity` | Name of the Developer ID Application certificate in your Keychain (e.g. `Developer ID Application: Name (TEAM_ID)`). When present, the macOS DMG will be code signed. |
+macOS signing is only configured when `heron.macOS.signing.identity` is present,
+so contributors without an Apple Developer account can still build unsigned DMGs with
+`./gradlew packageReleaseDmg`.
+
+Notarization is handled externally via `xcrun notarytool` (not a Gradle task) to maintain
+compatibility with the Gradle configuration cache. To notarize locally after building a signed DMG:
+
+```bash
+./gradlew packageReleaseDmg
+xcrun notarytool submit <path-to-dmg> \
+  --apple-id <your-apple-id> \
+  --password <app-specific-password> \
+  --team-id <team-id> \
+  --wait
+xcrun stapler staple <path-to-dmg>
+```
+
+### Publishing
+
+Publishing is triggered manually via the `Publish` GitHub Actions workflow (`workflow_dispatch`).
+It runs two jobs in parallel:
+
+**Android** (`publish-android-app`) builds a release AAB, signs it, uploads to the Play Store
+internal track, extracts a universal APK, and attaches it to a draft GitHub Release.
+
+**macOS** (`publish-mac-app`) imports a signing certificate, builds a signed DMG
+via `packageReleaseDmg`, notarizes it with `xcrun notarytool`, staples the ticket,
+and attaches it to the same draft GitHub Release.
+
+The following repository secrets are required for CI publishing:
+
+| Secret | Used by |
+|---|---|
+| `HERON_ENDPOINT` | Both jobs |
+| `GOOGLE_SERVICES_BASE_64` | Android |
+| `SIGNING_KEY_BASE_64` | Android |
+| `ALIAS` | Android |
+| `KEY_STORE_PASSWORD` | Android |
+| `KEY_PASSWORD` | Android |
+| `MACOS_SIGNING_CERTIFICATE_P12_DATA` | macOS - base64-encoded Developer ID Application `.p12` file |
+| `MACOS_SIGNING_CERTIFICATE_PASSWORD` | macOS - password for the `.p12` file |
+| `MACOS_SIGNING_IDENTITY` | macOS - certificate identity string (e.g. `Developer ID Application: Name (TEAM_ID)`) |
+| `MACOS_NOTARIZATION_APPLE_ID` | macOS - Apple ID email |
+| `MACOS_NOTARIZATION_PASSWORD` | macOS - app-specific password |
+| `MACOS_NOTARIZATION_TEAM_ID` | macOS - Apple Developer Team ID |

composeApp/build.gradle.kts

@@ -210,7 +210,20 @@ compose.desktop {
 
             val resourcesDir = project.file("src/desktopMain/resources")
             macOS {
+                bundleID = "com.tunjid.heron"
                 iconFile.set(resourcesDir.resolve("icon.icns"))
+
+                providers.gradleProperty("heron.macOS.signing.identity")
+                    .let { identityProperty ->
+                        if (identityProperty.isPresent) signing {
+                            sign.set(true)
+                            identity.set(identityProperty)
+                        }
+                    }
+
+                // Notarization is handled externally via xcrun notarytool
+                // to maintain compatibility with Gradle configuration cache.
+                // See the publish workflow and README for details.
             }
             windows {
                 iconFile.set(resourcesDir.resolve("icon.ico"))