ci: release: add MacOS signing

Add signing of the MacOS release binaries.

Signed-off-by: Jordan Yates <[email protected]>

Author: JordanYates

.github/workflows/release.yml

@@ -4,6 +4,8 @@ permissions:
   contents: write
 
 on:
+  pull_request:
+    types: [ labeled ]
   push:
     tags:
       - v[0-9]+.*
@@ -13,13 +15,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        if: ${{ github.event_name == 'push' }}
       - uses: taiki-e/create-gh-release-action@v1
+        if: ${{ github.event_name == 'push' }}
         with:
           # (optional) Path to changelog.
           changelog: CHANGELOG.md
           # (required) GitHub token for creating GitHub Releases.
           token: ${{ secrets.GITHUB_TOKEN }}
   upload-assets:
+    if: ${{ (github.event_name == 'push') || (github.event.label.name == 'release') }}
     needs: create-release
     strategy:
       matrix:
@@ -38,6 +43,20 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
+      - name: MacOS Signing setup
+        if: runner.os == 'macOS'
+        shell: bash
+        run: |
+          echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
+          security create-keychain -p "" build.keychain
+          security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+          security list-keychains -s build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "" build.keychain
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "" build.keychain
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
       - uses: taiki-e/upload-rust-binary-action@v1
         with:
           # (required) Comma-separated list of binary names (non-extension portion of filename) to build and upload.
@@ -49,3 +68,8 @@ jobs:
           target: ${{ matrix.target }}
           # (required) GitHub token for uploading assets to GitHub Releases.
           token: ${{ secrets.GITHUB_TOKEN }}
+          # Dry-run unless a release
+          dry-run: ${{ github.event_name != 'push' }}
+          # MacOS codesign parameters
+          codesign: $${{ secrets.MACOS_SIGNING_IDENTITY }}
+          codesign-options: runtime