From d7dea0f89a6c369e3e5951a5135a558c419ccf67 Mon Sep 17 00:00:00 2001 From: baiqing Date: Thu, 30 Apr 2026 14:55:56 +0800 Subject: [PATCH] =?UTF-8?q?ci(release):=20=E6=98=BE=E5=BC=8F=20strip=20mac?= =?UTF-8?q?OS=20bundle=20xattr=20=E4=BD=9C=E4=B8=BA=20defense-in-depth?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GitHub Actions 输出本来就不带 com.apple.quarantine (actions/upload-artifact 不跨机器持久化 xattr, softprops/action-gh-release 上传 binary stream 也不带), 但加这一步让 "云端 artifact 一定干净" 变成可验证的承诺, 未来 release 不会因 runner 环境变化退化. 用户下载到本地后浏览器/LaunchServices 仍会加 quarantine, 依赖 release notes 里的 xattr -cr 指引或一行安装命令处理. --- .github/workflows/release-tauri.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/release-tauri.yml b/.github/workflows/release-tauri.yml index a0e71082..28558a86 100644 --- a/.github/workflows/release-tauri.yml +++ b/.github/workflows/release-tauri.yml @@ -179,6 +179,24 @@ jobs: working-directory: 'openless-all/app/src-tauri/target/release/bundle' run: ls -la macos/ dmg/ nsis/ msi/ deb/ rpm/ appimage/ 2>/dev/null || true + # 防御性步骤:剥掉 macOS 产物上任何残留扩展属性 / quarantine。 + # 理论上 GitHub Actions 输出的 .app/.dmg 不会带 com.apple.quarantine + # (xattr 也不会通过 actions/upload-artifact 跨机器持久化),但保留这一步 + # 让"云端 artifact 一定干净"成为可验证的承诺。用户下载后再被本地浏览器 + # 加 quarantine 时,按 release notes 的 `xattr -cr` 一行即可消除。 + - name: Strip xattr / quarantine on macOS bundles + if: matrix.platform == 'macos-latest' + shell: bash + working-directory: 'openless-all/app/src-tauri/target/release/bundle' + run: | + for path in macos/*.app dmg/*.dmg; do + if [ -e "$path" ]; then + echo "▶ stripping xattr: $path" + xattr -cr "$path" || true + xattr -lr "$path" || true + fi + done + - name: Upload macOS artifacts if: matrix.platform == 'macos-latest' uses: actions/upload-artifact@v4