diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 939b308..4da271a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -67,7 +67,11 @@ jobs: permissions: contents: read env: - HAS_SIGNING_SECRETS: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12 != '' }} + # macOS signing/notarization is expensive (notary upload + polling) and is + # not needed for PR validation — developers can clear the quarantine + # attribute on unsigned PR artifacts if they need to run them. Gate it to + # main CI runs (pushes to main and v* tags), i.e. skip on pull_request. + MACOS_SIGNING_ENABLED: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12 != '' && github.event_name != 'pull_request' }} steps: - uses: actions/checkout@v4 @@ -97,7 +101,7 @@ jobs: find "$APP" -name '*.pdb' -delete - name: Import signing certificate - if: matrix.rid == 'osx-arm64' && env.HAS_SIGNING_SECRETS == 'true' + if: matrix.rid == 'osx-arm64' && env.MACOS_SIGNING_ENABLED == 'true' env: P12_BASE64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12 }} P12_PASSWORD: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }} @@ -110,7 +114,7 @@ jobs: security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain - name: Sign macOS .app bundle - if: matrix.rid == 'osx-arm64' && env.HAS_SIGNING_SECRETS == 'true' + if: matrix.rid == 'osx-arm64' && env.MACOS_SIGNING_ENABLED == 'true' env: APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} run: | @@ -137,7 +141,7 @@ jobs: "$APP" - name: Notarize macOS .app bundle - if: matrix.rid == 'osx-arm64' && env.HAS_SIGNING_SECRETS == 'true' + if: matrix.rid == 'osx-arm64' && env.MACOS_SIGNING_ENABLED == 'true' env: APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} @@ -164,7 +168,7 @@ jobs: fi - name: Staple notarization ticket - if: matrix.rid == 'osx-arm64' && env.HAS_SIGNING_SECRETS == 'true' + if: matrix.rid == 'osx-arm64' && env.MACOS_SIGNING_ENABLED == 'true' continue-on-error: true run: | # The notarization ticket may not be immediately available in