OxfordAbstracts · noisyscanner · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -25,17 +25,17 @@ jobs:
     strategy:
       matrix:
         include:
-          - os: ubuntu-latest
-            target: x86_64-unknown-linux-gnu
-
-          - os: ubuntu-latest
-            target: x86_64-unknown-linux-musl
-
+          # - os: ubuntu-latest
+          #   target: x86_64-unknown-linux-gnu
+          #
+          # - os: ubuntu-latest
+          #   target: x86_64-unknown-linux-musl
+          #
           - os: macos-latest
             target: universal-apple-darwin
-
-          - os: windows-latest
-            target: x86_64-pc-windows-msvc
+          #
+          # - os: windows-latest
+          #   target: x86_64-pc-windows-msvc
 
     steps:
       - name: Checkout repository
@@ -46,7 +46,50 @@ jobs:
         if: startsWith(matrix.os, 'ubuntu')
         with:
           target: ${{ matrix.target }}
-
+
+      - name: Install the Apple certificate, provisioning profile, and API key (macOS)
+        if: ${{ matrix.target == 'universal-apple-darwin' }}
+        id: keychain
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+          BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+          AUTH_KEY_BASE64: ${{ secrets.AUTH_KEY_BASE64 }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          PP_PATH=$RUNNER_TEMP/build_pp.provisionprofile
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          AUTH_KEY_PATH=$RUNNER_TEMP/AuthKey.p8
+
+          # import certificate and provisioning profile from secrets
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
+          echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
+          # apply provisioning profile
+          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
+          cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
+
+          # create auth key file for notarization
+          echo -n "$AUTH_KEY_BASE64" | base64 --decode -o $AUTH_KEY_PATH
+
+          # setup outputs
+          echo "auth_key_path=$AUTH_KEY_PATH" >> $GITHUB_OUTPUT
+          echo "keychain_path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT
+          echo "pp_path=$PP_PATH" >> $GITHUB_OUTPUT
+          echo "certificate_path=$CERTIFICATE_PATH" >> $GITHUB_OUTPUT
+
       - name: Build and Release
         uses: taiki-e/upload-rust-binary-action@v1
         with:
@@ -57,3 +100,24 @@ jobs:
           locked: true
           target: ${{ matrix.target }}
           token: ${{ secrets.GITHUB_TOKEN }}
+
+          # Sign build products using codesign on macOS
+          codesign: "47BE53B998AB29ED40729A647D0E481FE058CE9F"
+          codesign-prefix: "com.purefunctor."
+          codesign-options: "runtime"
+
+      - name: Zip the binary for notarization (macOS)
+        if: ${{ matrix.target == 'universal-apple-darwin' }}
+        run: zip -r $RUNNER_TEMP/purescript-analyzer-signed.zip target/${{ matrix.target }}/release/purescript-analyzer
+
+      - name: Upload the binary for notarization (macOS)
+        if: ${{ matrix.target == 'universal-apple-darwin' }}
+        env:
+          KEY_ID: ${{ secrets.KEY_ID }}
+          ISSUER: ${{ secrets.ISSUER }}
+        run: |
+          xcrun notarytool submit $RUNNER_TEMP/purescript-analyzer-signed.zip \
+            --key "${{ steps.keychain.outputs.auth_key_path }}" \
+            --key-id "$KEY_ID" \
+            --issuer "$ISSUER" \
+            --wait