set up cross-platform shell and working macos binary

wip

Author: theoephraim

.env.schema

@@ -0,0 +1,4 @@
+# @defaultSensitive=false @defaultRequired=infer
+# ---
+
+FOO=foo-val

.github/workflows/binary-release.yaml

@@ -24,7 +24,30 @@ jobs:
         run: |
           echo "$GITHUB_CONTEXT"
 
+  # Build and sign the macOS native binary (cache hit if already built in CI)
+  build-native-macos:
+    if: github.event_name == 'workflow_dispatch' || startsWith(github.ref_name, 'varlock@')
+    uses: ./.github/workflows/build-native-macos.yaml
+    with:
+      mode: release
+      version: ${{ github.event_name == 'workflow_dispatch' && inputs.version || github.ref_name }}
+      artifact-name: native-bin-macos-signed
+    secrets:
+      OP_CI_TOKEN: ${{ secrets.OP_CI_TOKEN }}
+
+  # Notarize the signed binary for production distribution
+  notarize-native-macos:
+    needs: build-native-macos
+    if: github.event_name == 'workflow_dispatch' || startsWith(github.ref_name, 'varlock@')
+    uses: ./.github/workflows/notarize-native-macos.yaml
+    with:
+      source-artifact-name: native-bin-macos-signed
+      artifact-name: native-bin-macos-release
+    secrets:
+      OP_CI_TOKEN: ${{ secrets.OP_CI_TOKEN }}
+
   release-binaries:
+    needs: notarize-native-macos
     # was using github.ref.tag_name, but it seems that when publishing multiple tags at once, it was behaving weirdly
     if: github.event_name == 'workflow_dispatch' || startsWith(github.ref_name, 'varlock@')
     runs-on: ubuntu-latest
@@ -63,6 +86,13 @@ jobs:
           echo "RELEASE_TAG=varlock@${{ inputs.version }}" >> $GITHUB_ENV
           echo "RELEASE_VERSION=${{ inputs.version }}" >> $GITHUB_ENV
 
+      # Download the signed macOS native binary
+      - name: Download macOS native binary
+        uses: actions/download-artifact@v8
+        with:
+          name: native-bin-macos-release
+          path: packages/varlock/native-bins/darwin/VarlockEnclave.app
+
       - name: build libs
         run: bun run build:libs
         env:

.github/workflows/build-native-macos.yaml

@@ -0,0 +1,131 @@
+name: Build macOS native binary
+
+# Reusable workflow that compiles, bundles, and Developer ID signs the
+# VarlockEnclave Swift binary on a macOS runner.
+#
+# The Swift .build directory is cached by source hash, so the compile
+# step (~minutes) is near-instant on cache hit. The .app bundle wrapping
+# (plist, icon, signing) always runs since it varies by mode/version.
+#
+# Notarization is intentionally NOT included here — it's a separate
+# workflow for production releases.
+
+on:
+  workflow_call:
+    inputs:
+      mode:
+        description: 'Build mode: dev, preview, or release (affects bundle metadata)'
+        type: string
+        default: 'preview'
+      version:
+        description: 'Bundle version string (e.g. 1.2.3)'
+        type: string
+        default: '0.0.0-preview'
+      artifact-name:
+        description: 'Name for the uploaded artifact'
+        type: string
+        default: 'native-bin-macos'
+    secrets:
+      OP_CI_TOKEN:
+        required: true
+
+jobs:
+  build:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Cache bun dependencies
+        uses: actions/cache@v5
+        with:
+          path: ~/.bun/install/cache
+          key: bun-${{ runner.os }}-${{ hashFiles('bun.lock') }}
+          restore-keys: |
+            bun-${{ runner.os }}-
+
+      - name: Install node deps
+        run: bun install
+
+      # Cache the Swift .build directory so compilation is fast on unchanged source
+      - name: Compute Swift source hash
+        id: swift-hash
+        run: |
+          HASH=$(find packages/encryption-binary-swift/swift -type f | sort | xargs shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+          echo "hash=$HASH" >> $GITHUB_OUTPUT
+          echo "Swift source hash: $HASH"
+
+      - name: Cache Swift build artifacts
+        uses: actions/cache@v5
+        with:
+          path: packages/encryption-binary-swift/swift/.build
+          key: varlock-swift-build-${{ steps.swift-hash.outputs.hash }}
+
+      # Build varlock JS so we can use it to resolve secrets from 1Password
+      - name: Build varlock libs
+        run: bun run build:libs
+
+      # Import signing certificate from 1Password (secrets scoped to the Swift package)
+      - name: Import signing certificate
+        working-directory: packages/encryption-binary-swift
+        run: |
+          eval "$(bunx varlock load --format shell)"
+
+          KEYCHAIN_PATH=$RUNNER_TEMP/signing.keychain-db
+          KEYCHAIN_PASSWORD=$(openssl rand -base64 24)
+
+          echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > $RUNNER_TEMP/certificate.p12
+
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          security import $RUNNER_TEMP/certificate.p12 \
+            -P "$APPLE_CERTIFICATE_PASSWORD" \
+            -A -t cert -f pkcs12 \
+            -k "$KEYCHAIN_PATH"
+
+          security set-key-partition-list -S apple-tool:,apple:,codesign: \
+            -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          security list-keychains -d user -s "$KEYCHAIN_PATH" login.keychain-db
+
+          echo "APPLE_SIGNING_IDENTITY=$APPLE_SIGNING_IDENTITY" >> $GITHUB_ENV
+        env:
+          OP_CI_TOKEN: ${{ secrets.OP_CI_TOKEN }}
+
+      # Compile (cached), bundle with mode-specific metadata, and sign
+      - name: Build, bundle, and sign
+        run: |
+          bun run --filter @varlock/encryption-binary-swift build:swift \
+            -- --mode ${{ inputs.mode }} --version ${{ inputs.version }} --sign "$APPLE_SIGNING_IDENTITY"
+
+      - name: Verify binary
+        run: |
+          APP_PATH="packages/varlock/native-bins/darwin/VarlockEnclave.app"
+          echo "=== App bundle contents ==="
+          ls -la "$APP_PATH/Contents/MacOS/"
+          echo "=== Binary architectures ==="
+          lipo -info "$APP_PATH/Contents/MacOS/varlock-local-encrypt"
+          echo "=== Code signature ==="
+          codesign -dvv "$APP_PATH" 2>&1 || true
+          echo "=== Info.plist ==="
+          cat "$APP_PATH/Contents/Info.plist"
+
+      - name: Upload native binary artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: ${{ inputs.artifact-name }}
+          path: packages/varlock/native-bins/darwin/VarlockEnclave.app
+          retention-days: 7
+
+      - name: Cleanup signing keychain
+        if: always()
+        run: |
+          KEYCHAIN_PATH=$RUNNER_TEMP/signing.keychain-db
+          if [ -f "$KEYCHAIN_PATH" ]; then
+            security delete-keychain "$KEYCHAIN_PATH" || true
+          fi
+          rm -f $RUNNER_TEMP/certificate.p12

.github/workflows/notarize-native-macos.yaml

@@ -0,0 +1,85 @@
+name: Notarize macOS native binary
+
+# Reusable workflow that takes an already-signed .app bundle artifact,
+# submits it to Apple for notarization, and staples the ticket.
+# Requires a macOS runner for xcrun.
+
+on:
+  workflow_call:
+    inputs:
+      source-artifact-name:
+        description: 'Name of the signed .app artifact to notarize'
+        type: string
+        required: true
+      artifact-name:
+        description: 'Name for the notarized artifact'
+        type: string
+        default: 'native-bin-macos-notarized'
+    secrets:
+      OP_CI_TOKEN:
+        required: true
+
+jobs:
+  notarize:
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Cache bun dependencies
+        uses: actions/cache@v5
+        with:
+          path: ~/.bun/install/cache
+          key: bun-${{ runner.os }}-${{ hashFiles('bun.lock') }}
+          restore-keys: |
+            bun-${{ runner.os }}-
+
+      - name: Install node deps
+        run: bun install
+
+      - name: Build varlock libs
+        run: bun run build:libs
+
+      - name: Download signed .app bundle
+        uses: actions/download-artifact@v8
+        with:
+          name: ${{ inputs.source-artifact-name }}
+          path: VarlockEnclave.app
+
+      - name: Notarize and staple
+        working-directory: packages/encryption-binary-swift
+        run: |
+          eval "$(bunx varlock load --format shell)"
+
+          APP_PATH="$GITHUB_WORKSPACE/VarlockEnclave.app"
+
+          # Create a zip for notarization submission
+          ditto -c -k --keepParent "$APP_PATH" $RUNNER_TEMP/VarlockEnclave.zip
+
+          # Submit for notarization and wait
+          xcrun notarytool submit $RUNNER_TEMP/VarlockEnclave.zip \
+            --apple-id "$APPLE_ID" \
+            --password "$APPLE_APP_PASSWORD" \
+            --team-id "$APPLE_TEAM_ID" \
+            --wait
+
+          # Staple the notarization ticket to the app bundle
+          xcrun stapler staple "$APP_PATH"
+        env:
+          OP_CI_TOKEN: ${{ secrets.OP_CI_TOKEN }}
+
+      - name: Verify notarization
+        run: |
+          echo "=== Code signature ==="
+          codesign -dvv VarlockEnclave.app 2>&1 || true
+          echo "=== Notarization staple ==="
+          xcrun stapler validate VarlockEnclave.app
+
+      - name: Upload notarized artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: ${{ inputs.artifact-name }}
+          path: VarlockEnclave.app
+          retention-days: 7

.github/workflows/release-preview.yaml

@@ -7,15 +7,74 @@ on:
 
 
 jobs:
+  # Check if varlock itself has changes that will be published
+  check-varlock-changed:
+    runs-on: ubuntu-latest
+    outputs:
+      varlock-changed: ${{ steps.check.outputs.varlock-changed }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+      - name: Cache bun dependencies
+        uses: actions/cache@v5
+        with:
+          path: ~/.bun/install/cache
+          key: bun-${{ runner.os }}-${{ hashFiles('bun.lock') }}
+          restore-keys: |
+            bun-${{ runner.os }}-
+      - name: Install node deps
+        run: bun install
+
+      - name: Check if varlock has changes
+        id: check
+        run: |
+          CURRENT_BRANCH="${GITHUB_HEAD_REF:-$(git branch --show-current)}"
+          if [[ "$CURRENT_BRANCH" == "changeset-release/main" ]]; then
+            # On release branch, check if varlock's package.json was modified
+            if git diff origin/main --name-only | grep -q '^packages/varlock/package.json$'; then
+              echo "varlock-changed=true" >> $GITHUB_OUTPUT
+            else
+              echo "varlock-changed=false" >> $GITHUB_OUTPUT
+            fi
+          else
+            # Normal PR — check changesets
+            bunx changeset status --output=changesets-summary.json 2>/dev/null || true
+            if [ -f changesets-summary.json ]; then
+              if jq -e '.releases[] | select(.name == "varlock" and .newVersion != .oldVersion)' changesets-summary.json > /dev/null 2>&1; then
+                echo "varlock-changed=true" >> $GITHUB_OUTPUT
+              else
+                echo "varlock-changed=false" >> $GITHUB_OUTPUT
+              fi
+              rm -f changesets-summary.json
+            else
+              echo "varlock-changed=false" >> $GITHUB_OUTPUT
+            fi
+          fi
+          echo "varlock-changed=$(cat $GITHUB_OUTPUT | grep varlock-changed | cut -d= -f2)"
+
+  # Build + sign native binary only if varlock is being published
+  # (no notarization for preview — just signed)
+  build-native-macos:
+    needs: check-varlock-changed
+    if: needs.check-varlock-changed.outputs.varlock-changed == 'true'
+    uses: ./.github/workflows/build-native-macos.yaml
+    with:
+      artifact-name: native-bin-macos-preview
+    secrets:
+      OP_CI_TOKEN: ${{ secrets.OP_CI_TOKEN }}
+
   build:
+    needs: [check-varlock-changed, build-native-macos]
+    # Run even if build-native-macos was skipped (varlock not changed)
+    if: always() && !failure() && !cancelled()
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v6
         with:
-          # by default only the current commit is fetched
-          # but we need more history to be able to compare to main
-          # TODO: ideally we would just fetch the history between origin/main and the current commit
           fetch-depth: 0
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -35,6 +94,14 @@ jobs:
       - name: Enable turborepo build cache
         uses: rharkor/caching-for-turbo@v2.3.11
 
+      # Download signed macOS native binary if it was built
+      - name: Download macOS native binary
+        if: needs.check-varlock-changed.outputs.varlock-changed == 'true'
+        uses: actions/download-artifact@v8
+        with:
+          name: native-bin-macos-preview
+          path: packages/varlock/native-bins/darwin/VarlockEnclave.app
+
       # ------------------------------------------------------------
       - name: Build publishable npm packages
         run: bun run build:libs