Skip to content

Gate macOS app signing to non-PR CI runs#11

Merged
philliphoff merged 1 commit into
mainfrom
philliphoff/gate-mac-signing
Jun 18, 2026
Merged

Gate macOS app signing to non-PR CI runs#11
philliphoff merged 1 commit into
mainfrom
philliphoff/gate-mac-signing

Conversation

@philliphoff

Copy link
Copy Markdown
Owner

Why

macOS signing and notarization are expensive (notary upload plus polling) and add little value to PR validation. PR builds don't need signed assets, so paying that cost on every pull request just slows down CI.

What

In the publish job of ci.yml, the macOS signing steps are now gated on the run not being a pull_request event, in addition to the existing secret-presence check.

  • Renamed the HAS_SIGNING_SECRETS env var to MACOS_SIGNING_ENABLED and added && github.event_name != 'pull_request' to its expression.
  • Updated the four gated steps (import certificate, sign bundle, notarize, staple) to reference the new condition.

PRs now produce unsigned macOS .app bundles, while pushes to main and v* release tags continue to sign, notarize, and staple as before. This mirrors the approach already used in the EncDotNet.S100 repo.

Skip macOS signing/notarization on pull_request events so PRs produce
unsigned artifacts and avoid the expensive notary upload/polling. Signing
still runs on pushes to main and v* tags.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@philliphoff philliphoff merged commit 0e442d2 into main Jun 18, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant