Mac App Release
Use for BlackBar, RepoBar, CodexBar, Trimmy, and similar Sparkle-updated macOS apps.
Rules
- Work from the app repo.
- Read
.mac-release.env; it is the repo-owned release manifest. - Use
scripts/mac-releasefrom this skill for shared release/appcast/verify work. - Keep app-specific build/package/sign behavior in repo scripts unless it is already manifest-driven.
- Never print private key material.
- Prefer Keychain Sparkle signing.
SPARKLE_PRIVATE_KEY_FILEis an explicit override only.
Commands
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release status
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release notes [version] [output.md]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release changelog-html <version> [CHANGELOG.md]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release make-appcast <zip> [feed-url]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release verify-appcast [version]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release check-assets [tag]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release release
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release codesign-run [--with-package-secrets] -- <command> [args...]
Manifest
Each repo owns .mac-release.env. It must contain no secrets.
Required:
MAC_RELEASE_APP_NAMEMAC_RELEASE_REPOMAC_RELEASE_BUNDLE_IDMAC_RELEASE_VERSION_FILEMAC_RELEASE_APPCASTMAC_RELEASE_FEED_URLMAC_RELEASE_DOWNLOAD_URL_PREFIXMAC_RELEASE_APP_ZIP- either
MAC_RELEASE_INFO_PLISTorMAC_RELEASE_SUPUBLIC_ED_KEY MAC_RELEASE_PACKAGE_CMD
Common optional:
MAC_RELEASE_PRECHECKMAC_RELEASE_SOURCE_FILES(space-separated app helper files to source before expanding artifact names)MAC_RELEASE_DSYM_ZIPMAC_RELEASE_REQUIRE_DSYM=0for app-only releasesMAC_RELEASE_ARTIFACT_PREFIXMAC_RELEASE_TAG_SIGNEDMAC_RELEASE_TAG_FORCEMAC_RELEASE_RELEASE_BRANCHMAC_RELEASE_SPARKLE_ACCOUNTMAC_RELEASE_SPARKLE_CHANNELMAC_RELEASE_GENERATE_APPCAST_ARGSMAC_RELEASE_RUN_SPARKLE_UPDATE_TESTMAC_RELEASE_SIGNING_KEY_FILE(local fallback path only; Keychain is used when the file is absent)MAC_RELEASE_EXTRA_ASSET_PATTERNSMAC_RELEASE_EXTRA_ASSET_WAIT_SECONDSMAC_RELEASE_EXTRA_ASSET_WAIT_INTERVALMAC_RELEASE_OP_ITEM+MAC_RELEASE_OP_FIELDSfor required packaging secrets. The release helper reads the known item once viaopinside one persistent tmux session, then exports the requested fields for the package command.MAC_RELEASE_OP_ACCOUNTdefaults tomy.1password.com;MAC_RELEASE_OP_VAULT,MAC_RELEASE_OP_TMUX_SESSION,MAC_RELEASE_OP_WAIT_SECONDSare optional. Without a vault, service-account token env is unset for that singleopread so the personal desktop account handles it.MAC_RELEASE_CODESIGN_IDENTITY+MAC_RELEASE_CODESIGN_OP_ITEM+MAC_RELEASE_CODESIGN_KEYCHAIN_MANAGED=1enable non-interactive Developer ID signing. The keychain must be replaceable, dedicated to release automation, separate from the default keychain, not shared with interactive use, and contain exactly one signing private key. The helper owns and may permanently normalize that key's partition ACL toapple-tool:,apple:,codesign:. After precheck, the same tmux credential pass readskeychain_pathandkeychain_password, takes a per-user release lock, supplies the password through a private file descriptor to a CLI PTY, prepends the keychain without hiding existing keychains, verifies a Developer ID Application canary, scopes package signing through a temporarycodesign --keychainshim, then restores transient state, relocks, and releases the lock.MAC_RELEASE_CODESIGN_OP_ACCOUNT,MAC_RELEASE_CODESIGN_OP_VAULT,MAC_RELEASE_CODESIGN_OP_USE_SERVICE_ACCOUNT,MAC_RELEASE_CODESIGN_OP_PATH_FIELD, andMAC_RELEASE_CODESIGN_OP_PASSWORD_FIELDoverride the codesign credential item defaults; account, vault, and service-account mode otherwise inherit the primary item settings. Set vault empty and service-account mode0for a personal desktop-account item.MAC_RELEASE_CODESIGN_KEYCHAIN+MAC_RELEASE_CODESIGN_KEYCHAIN_PASSWORDmay be supplied directly instead.MAC_RELEASE_RUN_LOGIN_SHELL=1opts command hooks back intobash -lc; default hooks useenv -u BASH_ENV bash -cso shell startup files cannot override exported release secrets.
1Password rules:
- Prefer already-exported env vars first; no
opcall if allMAC_RELEASE_OP_FIELDSare present. - If fields are missing, read configured package and codesign items in one tmux command for the whole release.
- Use service-account mode only with an explicit vault or
MAC_RELEASE_OP_USE_SERVICE_ACCOUNT=1. - Do not retry
opreads in a fresh shell; rerun only from the same tmux session after explicit user direction. - Never allow a release to reach app packaging with an unprepared Developer ID keychain. No SecurityAgent password windows during release; fail the signing canary first.
- For non-app release scripts, use
codesign-runinstead of copying keychain setup into the repository. Supply the codesign manifest fields through.mac-release.envor explicitMAC_RELEASE_CODESIGN_*environment configuration. It loads only codesign credentials by default; pass--with-package-secretswhen the wrapped release script also needs the configured package/notary fields in the same 1Password pass. It runs the bounded signing canary, scopescodesignthrough the managed-keychain shim, and restores/relocks before returning. - Disable shell xtrace and verbose mode before loading release secrets. Arm cleanup before keychain/search-list mutations, restore the dedicated keychain's original lock policy and user search list, and relock it after packaging.
Done
- appcast entry has URL, length, Sparkle signature.
- downloaded enclosure verifies with Sparkle.
- extracted app passes
codesign,spctl, andstapler validate. - GitHub release has app zip, dSYM zip when configured, plus app-specific extra assets.
- release notes match the changelog section.
- after verified release, bump changelog to next patch
Unreleasedin the app repo.