ci(release): support notarized rebuilds for older tags

2026-04-21 13:27:16 +00:00 · 2026-02-13 01:05:16 +01:00 · 2026-02-13 01:05:16 +01:00 · 8abc0136e9
commit 8abc0136e9
parent f745dd3cc4
3 changed files with 94 additions and 8 deletions
--- a/.github/workflows/release-notarized-selfhosted.yml
+++ b/.github/workflows/release-notarized-selfhosted.yml
@ -63,7 +63,16 @@ jobs:
      - name: Select/verify Xcode 17+
        run: |
          set -euo pipefail
-          scripts/ci/select_xcode17.sh
+          if [[ -x scripts/ci/select_xcode17.sh ]]; then
+            scripts/ci/select_xcode17.sh
+          else
+            xcodebuild -version
+            XCODE_MAJOR="$(xcodebuild -version | awk '/Xcode/ {split($2, v, "."); print v[1]}')"
+            if [[ "${XCODE_MAJOR:-0}" -lt 17 ]]; then
+              echo "Xcode 17+ required for AppIcon.icon builds." >&2
+              exit 1
+            fi
+          fi

      - name: Import signing certificate
        env:
@ -128,7 +137,22 @@ jobs:
        run: |
          set -euo pipefail
          APP="$EXPORT_PATH/Neon Vision Editor.app"
-          scripts/ci/verify_icon_payload.sh "$APP"
+          if [[ -x scripts/ci/verify_icon_payload.sh ]]; then
+            scripts/ci/verify_icon_payload.sh "$APP"
+          else
+            INFO="$APP/Contents/Info.plist"
+            CAR="$APP/Contents/Resources/Assets.car"
+            ICON_NAME="$(/usr/libexec/PlistBuddy -c 'Print :CFBundleIconName' "$INFO" 2>/dev/null || true)"
+            if [[ "$ICON_NAME" != "AppIcon" ]]; then
+              echo "Unexpected CFBundleIconName: '$ICON_NAME' (expected 'AppIcon')." >&2
+              exit 1
+            fi
+            TMP_JSON="$(mktemp)"
+            xcrun --sdk macosx assetutil --info "$CAR" > "$TMP_JSON"
+            grep -Eq '"RenditionName" : "AppIcon\.iconstack"' "$TMP_JSON"
+            grep -Eq '"Name" : "AppIcon"' "$TMP_JSON"
+            rm -f "$TMP_JSON"
+          fi

      - name: Notarize
        env:
@ -200,7 +224,26 @@ jobs:
          TAG_NAME: ${{ inputs.tag }}
        run: |
          set -euo pipefail
-          scripts/ci/verify_release_asset.sh "$TAG_NAME"
+          if [[ -x scripts/ci/verify_release_asset.sh ]]; then
+            scripts/ci/verify_release_asset.sh "$TAG_NAME"
+          else
+            WORK_DIR="$(mktemp -d)"
+            gh release download "$TAG_NAME" -p Neon.Vision.Editor.app.zip -D "$WORK_DIR"
+            ditto -x -k "$WORK_DIR/Neon.Vision.Editor.app.zip" "$WORK_DIR/extracted"
+            APP="$WORK_DIR/extracted/Neon Vision Editor.app"
+            INFO="$APP/Contents/Info.plist"
+            CAR="$APP/Contents/Resources/Assets.car"
+            ICON_NAME="$(/usr/libexec/PlistBuddy -c 'Print :CFBundleIconName' "$INFO" 2>/dev/null || true)"
+            if [[ "$ICON_NAME" != "AppIcon" ]]; then
+              echo "Unexpected CFBundleIconName: '$ICON_NAME' (expected 'AppIcon')." >&2
+              exit 1
+            fi
+            TMP_JSON="$(mktemp)"
+            xcrun --sdk macosx assetutil --info "$CAR" > "$TMP_JSON"
+            grep -Eq '"RenditionName" : "AppIcon\.iconstack"' "$TMP_JSON"
+            grep -Eq '"Name" : "AppIcon"' "$TMP_JSON"
+            rm -rf "$WORK_DIR" "$TMP_JSON"
+          fi

      - name: Roll back broken published release asset
        if: ${{ failure() && steps.publish_release.outcome == 'success' }}
--- a/.github/workflows/release-notarized.yml
+++ b/.github/workflows/release-notarized.yml
@ -35,7 +35,16 @@ jobs:
      - name: Select/verify Xcode 17+
        run: |
          set -euo pipefail
-          scripts/ci/select_xcode17.sh
+          if [[ -x scripts/ci/select_xcode17.sh ]]; then
+            scripts/ci/select_xcode17.sh
+          else
+            xcodebuild -version
+            XCODE_MAJOR="$(xcodebuild -version | awk '/Xcode/ {split($2, v, "."); print v[1]}')"
+            if [[ "${XCODE_MAJOR:-0}" -lt 17 ]]; then
+              echo "Xcode 17+ required for AppIcon.icon builds." >&2
+              exit 1
+            fi
+          fi

      - name: Import signing certificate
        env:
@ -100,7 +109,22 @@ jobs:
        run: |
          set -euo pipefail
          APP="$EXPORT_PATH/Neon Vision Editor.app"
-          scripts/ci/verify_icon_payload.sh "$APP"
+          if [[ -x scripts/ci/verify_icon_payload.sh ]]; then
+            scripts/ci/verify_icon_payload.sh "$APP"
+          else
+            INFO="$APP/Contents/Info.plist"
+            CAR="$APP/Contents/Resources/Assets.car"
+            ICON_NAME="$(/usr/libexec/PlistBuddy -c 'Print :CFBundleIconName' "$INFO" 2>/dev/null || true)"
+            if [[ "$ICON_NAME" != "AppIcon" ]]; then
+              echo "Unexpected CFBundleIconName: '$ICON_NAME' (expected 'AppIcon')." >&2
+              exit 1
+            fi
+            TMP_JSON="$(mktemp)"
+            xcrun --sdk macosx assetutil --info "$CAR" > "$TMP_JSON"
+            grep -Eq '"RenditionName" : "AppIcon\.iconstack"' "$TMP_JSON"
+            grep -Eq '"Name" : "AppIcon"' "$TMP_JSON"
+            rm -f "$TMP_JSON"
+          fi

      - name: Notarize
        env:
@ -172,7 +196,26 @@ jobs:
          TAG_NAME: ${{ inputs.tag }}
        run: |
          set -euo pipefail
-          scripts/ci/verify_release_asset.sh "$TAG_NAME"
+          if [[ -x scripts/ci/verify_release_asset.sh ]]; then
+            scripts/ci/verify_release_asset.sh "$TAG_NAME"
+          else
+            WORK_DIR="$(mktemp -d)"
+            gh release download "$TAG_NAME" -p Neon.Vision.Editor.app.zip -D "$WORK_DIR"
+            ditto -x -k "$WORK_DIR/Neon.Vision.Editor.app.zip" "$WORK_DIR/extracted"
+            APP="$WORK_DIR/extracted/Neon Vision Editor.app"
+            INFO="$APP/Contents/Info.plist"
+            CAR="$APP/Contents/Resources/Assets.car"
+            ICON_NAME="$(/usr/libexec/PlistBuddy -c 'Print :CFBundleIconName' "$INFO" 2>/dev/null || true)"
+            if [[ "$ICON_NAME" != "AppIcon" ]]; then
+              echo "Unexpected CFBundleIconName: '$ICON_NAME' (expected 'AppIcon')." >&2
+              exit 1
+            fi
+            TMP_JSON="$(mktemp)"
+            xcrun --sdk macosx assetutil --info "$CAR" > "$TMP_JSON"
+            grep -Eq '"RenditionName" : "AppIcon\.iconstack"' "$TMP_JSON"
+            grep -Eq '"Name" : "AppIcon"' "$TMP_JSON"
+            rm -rf "$WORK_DIR" "$TMP_JSON"
+          fi

      - name: Roll back broken published release asset
        if: ${{ failure() && steps.publish_release.outcome == 'success' }}
--- a/Editor.xcodeproj/project.pbxproj
+++ b/Editor.xcodeproj/project.pbxproj
@ -358,7 +358,7 @@
 				CODE_SIGNING_ALLOWED = YES;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 190;
+				CURRENT_PROJECT_VERSION = 191;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_TEAM = CS727NF72U;
 				ENABLE_APP_SANDBOX = YES;
@ -438,7 +438,7 @@
 				CODE_SIGNING_ALLOWED = YES;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 190;
+				CURRENT_PROJECT_VERSION = 191;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_TEAM = CS727NF72U;
 				ENABLE_APP_SANDBOX = YES;