Add macOS code signing via cargo-dist

yshing · claude · yshing · commit 1fa2245355c9 · 2026-05-14T18:01:04.000+08:00
Sets macos-sign = true in dist-workspace.toml; regenerates release.yml
to pass CODESIGN_CERTIFICATE, CODESIGN_CERTIFICATE_PASSWORD, and
CODESIGN_IDENTITY secrets to macOS build runners.

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -112,6 +112,9 @@ jobs:
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       BUILD_MANIFEST_NAME: target/distrib/${{ join(matrix.targets, '-') }}-dist-manifest.json
+      CODESIGN_CERTIFICATE: ${{ secrets.CODESIGN_CERTIFICATE }}
+      CODESIGN_CERTIFICATE_PASSWORD: ${{ secrets.CODESIGN_CERTIFICATE_PASSWORD }}
+      CODESIGN_IDENTITY: ${{ secrets.CODESIGN_IDENTITY }}
     permissions:
       "attestations": "write"
       "contents": "read"
diff --git a/dist-workspace.toml b/dist-workspace.toml
@@ -21,3 +21,5 @@ github-attestations = true
 install-path = "CARGO_HOME"
 # Whether to install an updater program
 install-updater = false
+# macOS code signing (uses APPLE_CERTIFICATE, APPLE_CERTIFICATE_PASSWORD, APPLE_TEAM_ID secrets)
+macos-sign = true
