Add macOS ARM64/x86_64 brew-ready release bundle and signing flow#319
Merged
Conversation
Package Homebrew-friendly macOS artifacts with libexec/chiavdf dylibs, switch hardware binary rpaths to @loader_path-relative lookup, and move ad-hoc signing to an optional local escape hatch while adding release-time signing/notarization upload paths.
Run secret detection, cert import, bundle assembly, and codesign on all optimized macOS ARM64 CI jobs; keep notarization release-only and continue publishing the macOS bundle artifact for non-release runs with run-id versioning.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Replace ripgrep-based checks in the macOS ARM64 bundle assembly step with portable grep equivalents so the workflow runs on macOS runners that do not have rg installed by default.
Add a STATIC_GMP make toggle and wire macos-13-arm64 workflow builds to pass static GMP archives so release/local CI binaries avoid dynamic Homebrew GMP runtime dependencies.
This restores dynamic GMP handling and leaves a TODO to make GMP a formal prerequisite once the Homebrew cask/tap wiring is in place. Co-authored-by: Cursor <cursoragent@cursor.com>
Resolve workflow conflicts by keeping the macOS ARM64 brew-bundle steps while adopting upstream multi-arch Ubuntu artifact and packaging updates. Co-authored-by: Cursor <cursoragent@cursor.com>
Avoid failing/noisy install_name_tool delete_rpath calls by changing rpaths only when present or missing, keeping bundle assembly logs clean while preserving portable loader paths. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Ensure the macOS ARM64 bundle signs both executables and bundled FTDI dylibs, verifies all shipped Mach-O artifacts carry valid Developer ID signatures, and publishes a codesign -dv summary artifact for release auditing. Co-authored-by: Cursor <cursoragent@cursor.com>
Avoid passing unmatched macOS codesign-summary globs to gh release upload so unsigned release builds can still publish artifacts. Co-authored-by: Cursor <cursoragent@cursor.com>
Allow macOS bundle signature verification to pass when codesign output omits Authority lines but strict verification succeeds and TeamIdentifier is present. Co-authored-by: Cursor <cursoragent@cursor.com>
Run the macOS bundle/sign/upload flow for both Intel and ARM64 so release and CI outputs include both brew-tap distributables. Co-authored-by: Cursor <cursoragent@cursor.com>
hoffmang9
changed the title
Enforce release-time checks for Apple signing and notarization secrets so macOS artifacts fail fast unless they are signed and notarized, while keeping non-release runs permissive. Co-authored-by: Cursor <cursoragent@cursor.com>
Add a workflow_dispatch input to explicitly request macOS notarization and route the existing checks/gates through that request path so manual runs can exercise notarization behavior. Co-authored-by: Cursor <cursoragent@cursor.com>
Publish Homebrew-friendly macOS asset aliases and include per-arch URLs, hashes, and gmp runtime dependency data in the glue trigger payload. Co-authored-by: Cursor <cursoragent@cursor.com>
Use flat top-level JSON fields for formula inputs so downstream workflow_dispatch wiring can consume values without nested parsing. Co-authored-by: Cursor <cursoragent@cursor.com>
Pass only release_version in the glue trigger payload since the downstream homebrew workflow derives URLs and hashes from that input. Co-authored-by: Cursor <cursoragent@cursor.com>
…load Require release builds to have signing and notarization secrets up front so tagged releases fail fast if notarization cannot run, and keep non-release unsigned fallback behavior unchanged. Also send only release_version in the Homebrew trigger metadata. Co-authored-by: Cursor <cursoragent@cursor.com>
Revert the glue trigger json_data to use github.event.release.tag_name directly for parity with main. Thanks @cmmarslender for guiding me to the right answer. Co-authored-by: Cursor <cursoragent@cursor.com>
cmmarslender
approved these changes
Feb 24, 2026
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
vdf-client-hw.ymlwith deterministicbin/payload and private FTDI dylibs inlibexec/chiavdf/@loader_path/../libexec/chiavdf, enforce install-name/rpath portability checks, and publish zip + sha256 + signing status assets to releasesget-libft4222.sh, keep xattr cleanup, and retainCHIAVDF_ADHOC_SIGN_FTDI=1as an explicit local troubleshooting escape hatchassets/macos-release-bundle.mdTest plan
bash -n scripts/get-libft4222.sh.github/workflows/vdf-client-hw.ymlmake optimized=1 -f src/Makefile.vdf-client vdf_client vdf_bench emu_hw_test emu_hw_vdf_client hw_test hw_vdf_clientsrc/emu_hw_test 1 2000,src/emu_hw_vdf_client --list,src/vdf_bench square 10000src/vdf_client --helpemits usage and exits non-zero as expected without required argsMade with Cursor
Note
Medium Risk
Touches CI release automation for macOS packaging, signing, and notarization; misconfiguration or secret availability could break release builds or produce incorrectly signed assets.
Overview
Adds a macOS Homebrew-ready release bundle to
build-packages.yml, assembling a deterministic zip layout (binaries + private FTDI dylibs), rewriting rpaths to@loader_path/../libexec/chiavdf, and enforcing portability checks viaotool.Introduces conditional Apple code-signing and optional notarization: secrets are probed, certificates imported only when present, release runs require signing/notarization secrets, and non-release runs can emit an
-unsignedbundle; the workflow now uploads macOS zips/sha256/signing status/codesign summaries to artifacts and releases (with--clobber), and adds aworkflow_dispatchinput to request notarization.Updates
scripts/get-libft4222.shto stop mandatory ad-hoc signing on macOS (now optional viaCHIAVDF_ADHOC_SIGN_FTDI=1) while also clearingcom.apple.quarantine, and addsassets/macos-release-bundle.mddocumenting the bundle layout and signing behavior.Written by Cursor Bugbot for commit 8e2e06e. This will update automatically on new commits. Configure here.