Add macOS notarization, revert pr-run-mode to plan, bump to 1.0.0-alpha.1

- Add APPLE_NOTARIZE_* secrets and notarize step to release workflow;
  step runs only on macOS targets and only on tag releases
- Revert pr-run-mode from upload back to plan
- Bump version to 1.0.0-alpha.1 for pre-release testing

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: byshing

.github/workflows/release.yml

@@ -115,6 +115,9 @@ jobs:
       CODESIGN_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
       CODESIGN_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
       CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_IDENTITY }}
+      APPLE_NOTARIZE_ID: ${{ secrets.APPLE_NOTARIZE_ID }}
+      APPLE_NOTARIZE_PASSWORD: ${{ secrets.APPLE_NOTARIZE_PASSWORD }}
+      APPLE_NOTARIZE_TEAM_ID: ${{ secrets.APPLE_NOTARIZE_TEAM_ID }}
     permissions:
       "attestations": "write"
       "contents": "read"
@@ -155,6 +158,18 @@ jobs:
           # Actually do builds and make zips and whatnot
           dist build ${{ needs.plan.outputs.tag-flag }} --print=linkage --output-format=json ${{ matrix.dist_args }} > dist-manifest.json
           echo "dist ran successfully"
+      - name: Notarize macOS binary
+        if: ${{ contains(join(matrix.targets, ','), 'apple-darwin') && needs.plan.outputs.publishing == 'true' }}
+        shell: bash
+        run: |
+          binary=$(find target/dist -name "bitmex" -not -path "*/build/*" -not -path "*/deps/*" | head -1)
+          zip_path="${binary}.zip"
+          ditto -c -k --keepParent "$binary" "$zip_path"
+          xcrun notarytool submit "$zip_path" \
+            --apple-id "$APPLE_NOTARIZE_ID" \
+            --password "$APPLE_NOTARIZE_PASSWORD" \
+            --team-id "$APPLE_NOTARIZE_TEAM_ID" \
+            --wait
       - name: Attest
         uses: actions/attest-build-provenance@v3
         with:

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "bitmex-cli"
-version = "1.0.0"
+version = "1.0.0-alpha.1"
 edition = "2024"
 description = "BitMEX CLI — trade, query, and manage your BitMEX account from the terminal"
 license = "MIT"

dist-workspace.toml

@@ -12,7 +12,7 @@ installers = ["shell", "powershell"]
 # Target platforms to build apps for (Rust target-triple syntax)
 targets = ["aarch64-apple-darwin", "aarch64-unknown-linux-gnu", "x86_64-apple-darwin", "x86_64-unknown-linux-gnu", "x86_64-pc-windows-msvc"]
 # Which actions to run on pull requests
-pr-run-mode = "upload"
+pr-run-mode = "plan"
 # The archive format to use for non-windows builds (defaults .tar.xz)
 unix-archive = ".tar.gz"
 # Whether to enable GitHub Attestations