feat: Sign and notarize MacOS binaries

Author: armsnyder

.github/.goreleaser.yaml

@@ -32,3 +32,15 @@ checksum:
 # https://goreleaser.com/customization/changelog
 changelog:
   disable: true # Handled by release-please
+
+# https://goreleaser.com/customization/notarize
+notarize:
+  macos:
+    - enabled: true
+      sign:
+        certificate: "{{ .Env.MACOS_SIGN_P12 }}"
+        password: "{{ .Env.MACOS_SIGN_PASSWORD }}"
+      notarize:
+        issuer_id: "{{ .Env.MACOS_NOTARY_ISSUER_ID }}"
+        key_id: "{{ .Env.MACOS_NOTARY_KEY_ID }}"
+        key: "{{ .Env.MACOS_NOTARY_KEY }}"

.github/workflows/assets.yaml

@@ -16,10 +16,15 @@ jobs:
         with:
           app-id: ${{ vars.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
-      - name: Upload artifacts
+      - name: Build and upload assets
         uses: goreleaser/goreleaser-action@v6
         with:
           version: '~> v2'
           args: release --config .github/.goreleaser.yaml
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+          MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
+          MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
+          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}