From a36b7878d08892ddf5515b253174fabcc457b7e2 Mon Sep 17 00:00:00 2001
From: LaZzyMan <zeusdream7@gmail.com>
Date: Tue, 16 Jun 2026 10:23:32 +0800
Subject: [PATCH] ci(desktop): notarize via App Store Connect API key instead
 of Apple ID

Switch the macOS desktop release notarization path from the Apple ID +
app-specific password method to the App Store Connect API key method,
which is more robust (no 2FA, no password expiry) and reuses the notary
key already provisioned for the org's Apple Developer account.

The signing step now reads APPLE_NOTARY_API_KEY_P8_BASE64,
APPLE_NOTARY_KEY_ID, and APPLE_NOTARY_ISSUER_ID, decodes the .p8 to a
temp file, and exports APPLE_API_KEY/APPLE_API_KEY_ID/APPLE_API_ISSUER,
which electron-builder (>=24) consumes to notarize via notarytool. The
existing unsigned-draft fallback behavior is preserved.
---
 .github/workflows/desktop-release.yml | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/desktop-release.yml b/.github/workflows/desktop-release.yml
index accb7ac1c..b0cf53379 100644
--- a/.github/workflows/desktop-release.yml
+++ b/.github/workflows/desktop-release.yml
@@ -282,8 +282,9 @@ jobs:
         shell: bash
         env:
           IS_DRY_RUN: ${{ inputs.dry_run }}
-          APPLE_APP_SPECIFIC_PASSWORD_SECRET: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
-          APPLE_ID_SECRET: ${{ secrets.APPLE_ID }}
+          APPLE_NOTARY_API_KEY_P8_BASE64_SECRET: ${{ secrets.APPLE_NOTARY_API_KEY_P8_BASE64 }}
+          APPLE_NOTARY_KEY_ID_SECRET: ${{ secrets.APPLE_NOTARY_KEY_ID }}
+          APPLE_NOTARY_ISSUER_ID_SECRET: ${{ secrets.APPLE_NOTARY_ISSUER_ID }}
           APPLE_TEAM_ID_SECRET: ${{ secrets.APPLE_TEAM_ID }}
           IS_DRAFT: ${{ inputs.draft }}
           MAC_CSC_KEY_PASSWORD_SECRET: ${{ secrets.MAC_CSC_KEY_PASSWORD }}
@@ -333,10 +334,19 @@ jobs:
                 exit 1
               fi
 
+              # Materialize the App Store Connect API key (.p8) so electron-builder
+              # (>=24) notarizes via notarytool. It reads APPLE_API_KEY (a path to
+              # the .p8 file), APPLE_API_KEY_ID, and APPLE_API_ISSUER from the env.
+              if [ -n "$APPLE_NOTARY_API_KEY_P8_BASE64_SECRET" ] && [ -n "$APPLE_NOTARY_KEY_ID_SECRET" ] && [ -n "$APPLE_NOTARY_ISSUER_ID_SECRET" ]; then
+                api_key_path="${RUNNER_TEMP}/apple-notary-key.p8"
+                printf '%s' "$APPLE_NOTARY_API_KEY_P8_BASE64_SECRET" | base64 --decode > "$api_key_path"
+                append_env "APPLE_API_KEY" "$api_key_path"
+                append_env "APPLE_API_KEY_ID" "$APPLE_NOTARY_KEY_ID_SECRET"
+                append_env "APPLE_API_ISSUER" "$APPLE_NOTARY_ISSUER_ID_SECRET"
+              fi
+
               append_env "CSC_LINK" "$mac_csc_link"
               append_env "CSC_KEY_PASSWORD" "$mac_csc_key_password"
-              append_env "APPLE_ID" "$APPLE_ID_SECRET"
-              append_env "APPLE_APP_SPECIFIC_PASSWORD" "$APPLE_APP_SPECIFIC_PASSWORD_SECRET"
               append_env "APPLE_TEAM_ID" "$APPLE_TEAM_ID_SECRET"
               echo "CSC_IDENTITY_AUTO_DISCOVERY=true" >> "$GITHUB_ENV"
             else