CommunitySchreiben & Editierengithub.com

steipete/release-mac-app

macOS app release: Sparkle, notarization, GitHub Release, Homebrew, closeout.

Was ist release-mac-app?

release-mac-app is a Codex agent skill that macOS app release: Sparkle, notarization, GitHub Release, Homebrew, closeout.

Funktioniert mit~Claude CodeCodex CLI~Cursor
npx skills add https://github.com/steipete/agent-scripts/tree/main/skills/release-mac-app

Installed? Explore more Schreiben & Editieren skills: steipete/notion, affaan-m/seo, affaan-m/brand-voice · View all 6 →

In Ihrer bevorzugten KI fragen

Öffnet einen neuen Chat, in dem dieser Agent-Skill bereits geladen ist.

Dokumentation

Mac App Release

Use for BlackBar, RepoBar, CodexBar, Trimmy, and similar Sparkle-updated macOS apps.

Rules

  • Work from the app repo.
  • Read .mac-release.env; it is the repo-owned release manifest.
  • Use scripts/mac-release from this skill for shared release/appcast/verify work.
  • Keep app-specific build/package/sign behavior in repo scripts unless it is already manifest-driven.
  • Never print private key material.
  • Prefer Keychain Sparkle signing. SPARKLE_PRIVATE_KEY_FILE is an explicit override only.

Commands

/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release status
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release notes [version] [output.md]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release changelog-html <version> [CHANGELOG.md]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release make-appcast <zip> [feed-url]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release verify-appcast [version]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release check-assets [tag]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release release
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release codesign-run [--with-package-secrets] -- <command> [args...]

Manifest

Each repo owns .mac-release.env. It must contain no secrets.

Required:

  • MAC_RELEASE_APP_NAME
  • MAC_RELEASE_REPO
  • MAC_RELEASE_BUNDLE_ID
  • MAC_RELEASE_VERSION_FILE
  • MAC_RELEASE_APPCAST
  • MAC_RELEASE_FEED_URL
  • MAC_RELEASE_DOWNLOAD_URL_PREFIX
  • MAC_RELEASE_APP_ZIP
  • either MAC_RELEASE_INFO_PLIST or MAC_RELEASE_SUPUBLIC_ED_KEY
  • MAC_RELEASE_PACKAGE_CMD

Common optional:

  • MAC_RELEASE_PRECHECK
  • MAC_RELEASE_SOURCE_FILES (space-separated app helper files to source before expanding artifact names)
  • MAC_RELEASE_DSYM_ZIP
  • MAC_RELEASE_REQUIRE_DSYM=0 for app-only releases
  • MAC_RELEASE_ARTIFACT_PREFIX
  • MAC_RELEASE_TAG_SIGNED
  • MAC_RELEASE_TAG_FORCE
  • MAC_RELEASE_RELEASE_BRANCH
  • MAC_RELEASE_SPARKLE_ACCOUNT
  • MAC_RELEASE_SPARKLE_CHANNEL
  • MAC_RELEASE_GENERATE_APPCAST_ARGS
  • MAC_RELEASE_RUN_SPARKLE_UPDATE_TEST
  • MAC_RELEASE_SIGNING_KEY_FILE (local fallback path only; Keychain is used when the file is absent)
  • MAC_RELEASE_EXTRA_ASSET_PATTERNS
  • MAC_RELEASE_EXTRA_ASSET_WAIT_SECONDS
  • MAC_RELEASE_EXTRA_ASSET_WAIT_INTERVAL
  • MAC_RELEASE_OP_ITEM + MAC_RELEASE_OP_FIELDS for required packaging secrets. The release helper reads the known item once via op inside one persistent tmux session, then exports the requested fields for the package command.
  • MAC_RELEASE_OP_ACCOUNT defaults to my.1password.com; MAC_RELEASE_OP_VAULT, MAC_RELEASE_OP_TMUX_SESSION, MAC_RELEASE_OP_WAIT_SECONDS are optional. Without a vault, service-account token env is unset for that single op read so the personal desktop account handles it.
  • MAC_RELEASE_CODESIGN_IDENTITY + MAC_RELEASE_CODESIGN_OP_ITEM + MAC_RELEASE_CODESIGN_KEYCHAIN_MANAGED=1 enable non-interactive Developer ID signing. The keychain must be replaceable, dedicated to release automation, separate from the default keychain, not shared with interactive use, and contain exactly one signing private key. The helper owns and may permanently normalize that key's partition ACL to apple-tool:,apple:,codesign:. After precheck, the same tmux credential pass reads keychain_path and keychain_password, takes a per-user release lock, supplies the password through a private file descriptor to a CLI PTY, prepends the keychain without hiding existing keychains, verifies a Developer ID Application canary, scopes package signing through a temporary codesign --keychain shim, then restores transient state, relocks, and releases the lock.
  • MAC_RELEASE_CODESIGN_OP_ACCOUNT, MAC_RELEASE_CODESIGN_OP_VAULT, MAC_RELEASE_CODESIGN_OP_USE_SERVICE_ACCOUNT, MAC_RELEASE_CODESIGN_OP_PATH_FIELD, and MAC_RELEASE_CODESIGN_OP_PASSWORD_FIELD override the codesign credential item defaults; account, vault, and service-account mode otherwise inherit the primary item settings. Set vault empty and service-account mode 0 for a personal desktop-account item. MAC_RELEASE_CODESIGN_KEYCHAIN + MAC_RELEASE_CODESIGN_KEYCHAIN_PASSWORD may be supplied directly instead.
  • MAC_RELEASE_RUN_LOGIN_SHELL=1 opts command hooks back into bash -lc; default hooks use env -u BASH_ENV bash -c so shell startup files cannot override exported release secrets.

1Password rules:

  • Prefer already-exported env vars first; no op call if all MAC_RELEASE_OP_FIELDS are present.
  • If fields are missing, read configured package and codesign items in one tmux command for the whole release.
  • Use service-account mode only with an explicit vault or MAC_RELEASE_OP_USE_SERVICE_ACCOUNT=1.
  • Do not retry op reads in a fresh shell; rerun only from the same tmux session after explicit user direction.
  • Never allow a release to reach app packaging with an unprepared Developer ID keychain. No SecurityAgent password windows during release; fail the signing canary first.
  • For non-app release scripts, use codesign-run instead of copying keychain setup into the repository. Supply the codesign manifest fields through .mac-release.env or explicit MAC_RELEASE_CODESIGN_* environment configuration. It loads only codesign credentials by default; pass --with-package-secrets when the wrapped release script also needs the configured package/notary fields in the same 1Password pass. It runs the bounded signing canary, scopes codesign through the managed-keychain shim, and restores/relocks before returning.
  • Disable shell xtrace and verbose mode before loading release secrets. Arm cleanup before keychain/search-list mutations, restore the dedicated keychain's original lock policy and user search list, and relock it after packaging.

Done

  • appcast entry has URL, length, Sparkle signature.
  • downloaded enclosure verifies with Sparkle.
  • extracted app passes codesign, spctl, and stapler validate.
  • GitHub release has app zip, dSYM zip when configured, plus app-specific extra assets.
  • release notes match the changelog section.
  • after verified release, bump changelog to next patch Unreleased in the app repo.

Individual skills in this repo

This repo contains 20 individual skills — each has its own dedicated page.

steipete/agent-transcript

GitHub PR/issue agent transcripts: redact, preview, and insert safely.

steipete/beeper

Beeper cache: contact hints, room lookup, WhatsApp/iMessage traces, FTS.

steipete/browser-use

Existing Chrome automation: Chrome plugin first, mcporter fallback.

steipete/clawsweeper-status

ClawSweeper status: URLs, workflow health, active workers, ops snapshot.

steipete/clickclack

ClickClack ops: chat app, Hetzner deploy, DNS/docs/app, Docker rollout.

steipete/cloudflare-registrar

Cloudflare Registrar: domain availability, prices, registration via mcporter.

steipete/codex-debugging

Codex debugging: codex-rs core/tui/exec/cli/app-server/config.

steipete/create-cli

CLI UX/spec: args, flags, help, output, errors, config, dry-run.

steipete/discord-clawd

Discord-backed OpenClaw agent/session relay; not archive search.

steipete/domain-dns-ops

DNS/domain ops: registrars, zones, redirects, DNS/HTTP verify, manager truth.

steipete/frontend-design

Frontend UI: pages, apps, components, polished non-generic design.

steipete/github-author-context

GitHub contributor context: identity, activity, trust, company/team signal.

steipete/github-cache-hygiene

GitHub quota/cache hygiene: gh, ghx, xcache, gitcrawl, mirrors, limits.

steipete/github-deep-review

GitHub deep review: bugs, PRs, best fix, stale-or-real, read code first.

steipete/github-project-triage

GitHub issue/PR triage: queues, CI, blockers, risk, proof, next actions.

steipete/hopper-debugger

Hopper debugging: macOS/iOS binaries, ObjC/Swift symbols, dyld, LLDB.

steipete/instruments-profiling

Instruments/xctrace profiling: macOS/iOS traces, binaries, args, exports.

steipete/mac-maintenance

Mac upkeep: brew update/upgrade, pull clean repos, empty Trash.

steipete/maintainer-orchestrator

Open-source maintainer orchestration: Codex app workers, work recovery, dependencies, vision, releases.

steipete/markdown-converter

Markdown conversion: PDF, Office, HTML, data, OCR, audio, ZIP, YouTube.

Verwandte Skills

steipete/notion

Notion CLI/API for pages, Markdown content, data sources, files, comments, search, Workers, and raw API calls.

community

affaan-m/seo

Audit, plan, and implement SEO improvements across technical SEO, on-page optimization, structured data, Core Web Vitals, and content strategy. Use when the user wants better search visibility, SEO remediation, schema markup, sitemap/robots work, or keyword mapping.

community

affaan-m/brand-voice

Build a source-derived writing style profile from real posts, essays, launch notes, docs, or site copy, then reuse that profile across content, outreach, and social workflows. Use when the user wants voice consistency without generic AI writing tropes.

community

affaan-m/crosspost

Multi-platform content distribution across X, LinkedIn, Threads, and Bluesky. Adapts content per platform using content-engine patterns. Never posts identical content cross-platform. Use when the user wants to distribute content across social platforms.

community

affaan-m/x-api

X/Twitter API integration for posting tweets, threads, reading timelines, search, and analytics. Covers OAuth auth patterns, rate limits, and platform-native content posting. Use when the user wants to interact with X programmatically.

community

affaan-m/content-engine

Create platform-native content systems for X, LinkedIn, TikTok, YouTube, newsletters, and repurposed multi-platform campaigns. Use when the user wants social posts, threads, scripts, content calendars, or one source asset adapted cleanly across platforms.

community