Update Mac Workflow

- Add new repo variables
  - `SIGN_MAC_APP_ON_VALIDATE` will force sign/notarize on the validate workflow (normally only done for releases)
  - `WAIT_FOR_NOTARIZE` Causes the build-mac workflow to wait for apple to notarize the bundle so that it can be stapled. This is usually fast (1-2 mis), but can be very long and may cause workflow runners to time out.

.github/workflows/build-mac.yml

@@ -18,24 +18,24 @@ on:
         type: boolean
       retention-days:
         type: number
+      sign-app:
+        type: boolean
+        description: "Wheather to sign an notorize the app bundle and dmg."
       architecture:
         type: string
         description: "CPU architecture targeted by the build."
         required: true
 
-env:
-  WAIT_FOR_NOTARIZE: true
-
 jobs:
   build:
     name: "macOS-${{ inputs.architecture }}"
     runs-on: macos-latest
     env:
       RUNTIME_ID: "osx-${{ inputs.architecture }}"
-      CAN_SIGN: ${{ secrets.APPLE_TEAM_ID != '' && vars.APPLE_DEV_EMAIL != '' && secrets.APPLE_DEV_PASSWORD != '' }}
+      WAIT_FOR_NOTARIZE: ${{ vars.WAIT_FOR_NOTARIZE == 'true' }}
     steps:    
       - uses: apple-actions/import-codesign-certs@v3
-        if: ${{ env.CAN_SIGN == 'true' }}
+        if: ${{ inputs.sign-app }}
         with: 
           p12-file-base64: ${{ secrets.DISTRIBUTION_SIGNING_CERT }}
           p12-password: ${{ secrets.DISTRIBUTION_SIGNING_CERT_PW }}       
@@ -74,20 +74,25 @@ jobs:
         run: |
           SCRIPT=./Scripts/Bundle_MacOS.sh
           chmod +rx ${SCRIPT}
-          ${SCRIPT} ./bin "${{ inputs.libation-version }}" "${{ inputs.architecture }}" ${{ env.CAN_SIGN }}
+          ${SCRIPT} ./bin "${{ inputs.libation-version }}" "${{ inputs.architecture }}" "${{ inputs.sign-app }}"
           artifact=$(ls ./bundle)
           echo "artifact=${artifact}" >> "${GITHUB_OUTPUT}"
 
       - name: Notarize bundle
-        if: ${{ env.CAN_SIGN == 'true' }}
+        if: ${{ inputs.sign-app }}
         run: |          
-          if [ ${{ env.WAIT_FOR_NOTARIZE }} ]; then
+          if [ ${{ vars.WAIT_FOR_NOTARIZE == 'true' }} ]; then
             WAIT="--wait"
           fi
+          echo "::debug::Submitting the disk image for notarization"
+          RESPONSE=$(xcrun notarytool submit ./bundle/${{ steps.bundle.outputs.artifact }} $WAIT --no-progress --apple-id ${{ vars.APPLE_DEV_EMAIL }} --password ${{ secrets.APPLE_DEV_PASSWORD }} --team-id ${{ secrets.APPLE_TEAM_ID }} 2>&1)
+          SUBMISSION_ID=$(echo "$RESPONSE" | awk '/id: / { print $2;exit; }')
           
-          xcrun notarytool submit ./bundle/${{ steps.bundle.outputs.artifact }} $WAIT --no-progress --apple-id ${{ vars.APPLE_DEV_EMAIL }} --password ${{ secrets.APPLE_DEV_PASSWORD }} --team-id ${{ secrets.APPLE_TEAM_ID }}
+          echo "$RESPONSE"
+          echo "::notice::Noraty Submission Id: $SUBMISSION_ID"
           
-          if [ ${{ env.WAIT_FOR_NOTARIZE }} ]; then
+          if [ ${{ vars.WAIT_FOR_NOTARIZE == 'true' }} ]; then
+            echo "::debug::Stapling the notarization ticket to the disk image"
             xcrun stapler staple "./bundle/${{ steps.bundle.outputs.artifact }}"
           fi
 

.github/workflows/build.yml

@@ -20,6 +20,9 @@ on:
       publish-r2r:
         type: boolean
         description: "Whether to publish assemblies as ReadyToRun."
+      release:
+        type: boolean
+        description: "Whether this workflow is being called as a release"
       retention-days:
         type: number
         description: "Number of days the artifacts are to be retained."
@@ -46,6 +49,7 @@ jobs:
       publish-r2r: ${{ inputs.publish-r2r }}
       retention-days: ${{ inputs.retention-days }}
       architecture: ${{ matrix.architecture }}
+      sign-app: ${{ inputs.release || vars.SIGN_MAC_APP_ON_VALIDATE == 'true' }}
     secrets: inherit
 
   linux:

.github/workflows/release.yml

@@ -35,6 +35,7 @@ jobs:
     with:
       libation-version: ${{ needs.prerelease.outputs.version }}
       publish-r2r: true
+      release: true
 
   release:
     needs: [prerelease, build]

.github/workflows/validate.yml

@@ -24,6 +24,7 @@ jobs:
   build:
     needs: [get_version]
     uses: ./.github/workflows/build.yml
+    secrets: inherit
     with:
       libation-version: ${{ needs.get_version.outputs.version }}
       retention-days: 14