From d7e2a4b669bcd3420f68db1796f8618ce324f124 Mon Sep 17 00:00:00 2001
From: Kyle Mendell <ksm@ofkm.us>
Date: Mon, 25 May 2026 09:20:01 -0500
Subject: [PATCH] chore: add macos noterization

---
 .github/workflows/build-next.yml |  5 +++++
 .github/workflows/release.yml    |  5 +++++
 .goreleaser.yaml                 | 15 +++++++++++++++
 3 files changed, 25 insertions(+)

diff --git a/.github/workflows/build-next.yml b/.github/workflows/build-next.yml
index 171dba30..48a9603b 100644
--- a/.github/workflows/build-next.yml
+++ b/.github/workflows/build-next.yml
@@ -72,3 +72,8 @@ jobs:
           SKIP_CHANGELOG: "true"
           GORELEASER_CURRENT_TAG: next-static-${{ steps.vars.outputs.sha_short }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+          MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
+          MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
+          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a7c2085c..2d0467f2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -103,6 +103,11 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+          MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
+          MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
+          MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+          MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
 
       - name: Publish release
         env:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 1fe29251..fa93c759 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -174,6 +174,21 @@ dockers_v2:
     disable: '{{ if not (index .Env "BUILD_NEXT") }}true{{ end }}'
     sbom: true
 
+notarize:
+  macos:
+    - enabled: '{{ isEnvSet "MACOS_SIGN_P12" }}'
+      ids:
+        - pocket-id
+      sign:
+        certificate: "{{ .Env.MACOS_SIGN_P12 }}"
+        password: "{{ .Env.MACOS_SIGN_PASSWORD }}"
+      notarize:
+        issuer_id: "{{ .Env.MACOS_NOTARY_ISSUER_ID }}"
+        key_id: "{{ .Env.MACOS_NOTARY_KEY_ID }}"
+        key: "{{ .Env.MACOS_NOTARY_KEY }}"
+        wait: true
+        timeout: 20m
+
 changelog:
   disable: true