From 3f716cd1ac92029c003de6058d01a6c7dee1c501 Mon Sep 17 00:00:00 2001 From: rmcrackan Date: Wed, 18 Mar 2026 14:49:02 -0400 Subject: [PATCH] =?UTF-8?q?-=20**Fix:**=20When=20`xcrun=20notarytool=20sub?= =?UTF-8?q?mit`=20failed=20(e.g.=20Apple=20TOS=20/=20"sign=20agreement"=20?= =?UTF-8?q?required),=20the=20job=20failed=20immediately=20and=20the=20rea?= =?UTF-8?q?l=20error=20never=20appeared=20in=20the=20workflow=20log.=20-?= =?UTF-8?q?=20**Change:**=20Capture=20notarytool=20stdout+stderr=20with=20?= =?UTF-8?q?`||=20true`=20so=20the=20script=20always=20runs=20`echo=20"$RES?= =?UTF-8?q?PONSE"`,=20then=20fail=20the=20step=20explicitly=20if=20no=20su?= =?UTF-8?q?bmission=20id=20is=20found.=20The=20job=20still=20fails=20on=20?= =?UTF-8?q?errors,=20but=20the=20full=20notarytool=20output=20(including?= =?UTF-8?q?=20stderr)=20is=20now=20visible=20in=20the=20Actions=20log.=20-?= =?UTF-8?q?=20**Result:**=20Failures=20like=20"you=20must=20accept=20the?= =?UTF-8?q?=20agreement"=20show=20up=20in=20the=20run=20so=20you=20don?= =?UTF-8?q?=E2=80=99t=20have=20to=20reproduce=20them=20locally=20to=20see?= =?UTF-8?q?=20the=20message.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/build-mac.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-mac.yml b/.github/workflows/build-mac.yml index 61204a63..cc195294 100644 --- a/.github/workflows/build-mac.yml +++ b/.github/workflows/build-mac.yml @@ -85,12 +85,21 @@ jobs: WAIT="--wait" fi echo "::debug::Submitting the disk image for notarization" - RESPONSE=$(xcrun notarytool submit ./bundle/${{ steps.bundle.outputs.artifact }} $WAIT --no-progress --apple-id ${{ vars.APPLE_DEV_EMAIL }} --password ${{ secrets.APPLE_DEV_PASSWORD }} --team-id ${{ secrets.APPLE_TEAM_ID }} 2>&1) - SUBMISSION_ID=$(echo "$RESPONSE" | awk '/id: / { print $2;exit; }') - + # Capture stdout+stderr (2>&1). Use || true so that when notarytool fails (e.g. Apple TOS + # agreement required), the script does not exit before we can print RESPONSE—otherwise the + # job would fail with no visible error message in the workflow log. + RESPONSE=$(xcrun notarytool submit ./bundle/${{ steps.bundle.outputs.artifact }} $WAIT --no-progress --apple-id ${{ vars.APPLE_DEV_EMAIL }} --password ${{ secrets.APPLE_DEV_PASSWORD }} --team-id ${{ secrets.APPLE_TEAM_ID }} 2>&1) || true echo "$RESPONSE" - echo "::notice::Noraty Submission Id: $SUBMISSION_ID" - + SUBMISSION_ID=$(echo "$RESPONSE" | awk '/id: / { print $2;exit; }') + echo "::notice::Notary Submission Id: $SUBMISSION_ID" + + # Re-fail the step if submit failed (e.g. no submission id). The job still fails, but the + # output above is now visible in the log so we can see the real error (e.g. sign agreement). + if [ -z "$SUBMISSION_ID" ]; then + echo "::error::Notarization submit failed. See output above for details (e.g. Apple TOS agreement)." + exit 1 + fi + if [ ${{ vars.WAIT_FOR_NOTARIZE == 'true' }} ]; then echo "::debug::Stapling the notarization ticket to the disk image" xcrun stapler staple "./bundle/${{ steps.bundle.outputs.artifact }}"