ci(release): gate signed release on the release environment#2249
Merged
harshitsinghbhandari merged 1 commit intoJun 28, 2026
Conversation
The Desktop release fires on any desktop-v* tag push and consumes the repo-level signing secrets, so any write-access collaborator can cut a signed prod build. Reference the `release` environment from the build jobs so a designated reviewer must approve before the secrets are used. Takes effect once required reviewers are configured on that environment. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Vaibhaav-Tiwari
approved these changes
Jun 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The Desktop release workflow triggers on any
desktop-v*tag push (orworkflow_dispatch) and consumes the repo-level macOS signing secrets. There is no tag protection and no environment gate, so any of the ~10 write-access collaborators can cut a fully signed, notarized production build to ~7.6k users. Now that live Developer ID + notarization secrets are configured on this repo, that surface should be closed.What
Adds
environment: releaseto thereleaseandrelease-inteljobs so the build that uses the signing secrets cannot run until a required reviewer approves the deployment to thereleaseenvironment.Required to take effect (admin)
This PR is inert until an admin configures the
releaseenvironment (Settings > Environments > release) with required reviewers. Until then, behavior is unchanged (no worse than today). Recommended companion control: a tag ruleset restricting who can createdesktop-v*tags.Note for whoever merges second
This touches the
release-inteljob, which #2244 also edits (macos-13->macos-15-intel). If #2244 merges first, resolve the trivial conflict by keeping bothruns-on: macos-15-intelandenvironment: release.🤖 Generated with Claude Code