メニュー
macOS app release: Sparkle, notarization, GitHub Release, Homebrew, closeout.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Delegated maintainer ops: decision-ready PRs, worker monitoring, queue cleanup, releases.
ClawSweeper status: URLs, workflow health, active workers, ops snapshot.
GitHub PR/issue agent transcripts: redact, preview, and insert safely.
GitHub issue/PR triage: queues, CI, blockers, risk, proof, next actions.
Codex/OpenClaw skill audit: live budget, usage, duplicates, compact descriptions.
Existing Chrome automation: Chrome plugin first, mcporter fallback.
| name | release-mac-app |
| description | macOS app release: Sparkle, notarization, GitHub Release, Homebrew, closeout. |
Use for BlackBar, RepoBar, CodexBar, Trimmy, and similar Sparkle-updated macOS apps.
.mac-release.env; it is the repo-owned release manifest.scripts/mac-release from this skill for shared release/appcast/verify work.SPARKLE_PRIVATE_KEY_FILE is an explicit override only./Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release status
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release notes [version] [output.md]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release changelog-html <version> [CHANGELOG.md]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release make-appcast <zip> [feed-url]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release verify-appcast [version]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release check-assets [tag]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release release
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release codesign-run [--with-package-secrets] -- <command> [args...]
Each repo owns .mac-release.env. It must contain no secrets.
Required:
MAC_RELEASE_APP_NAMEMAC_RELEASE_REPOMAC_RELEASE_BUNDLE_IDMAC_RELEASE_VERSION_FILEMAC_RELEASE_APPCASTMAC_RELEASE_FEED_URLMAC_RELEASE_DOWNLOAD_URL_PREFIXMAC_RELEASE_APP_ZIPMAC_RELEASE_INFO_PLIST or MAC_RELEASE_SUPUBLIC_ED_KEYMAC_RELEASE_PACKAGE_CMDCommon optional:
MAC_RELEASE_PRECHECKMAC_RELEASE_SOURCE_FILES (space-separated app helper files to source before expanding artifact names)MAC_RELEASE_DSYM_ZIPMAC_RELEASE_REQUIRE_DSYM=0 for app-only releasesMAC_RELEASE_ARTIFACT_PREFIXMAC_RELEASE_TAG_SIGNEDMAC_RELEASE_TAG_FORCEMAC_RELEASE_RELEASE_BRANCHMAC_RELEASE_SPARKLE_ACCOUNTMAC_RELEASE_SPARKLE_CHANNELMAC_RELEASE_GENERATE_APPCAST_ARGSMAC_RELEASE_RUN_SPARKLE_UPDATE_TESTMAC_RELEASE_SIGNING_KEY_FILE (local fallback path only; Keychain is used when the file is absent)MAC_RELEASE_EXTRA_ASSET_PATTERNSMAC_RELEASE_EXTRA_ASSET_WAIT_SECONDSMAC_RELEASE_EXTRA_ASSET_WAIT_INTERVALMAC_RELEASE_OP_ITEM + MAC_RELEASE_OP_FIELDS for required packaging secrets. The release helper reads the known item once via op inside one persistent tmux session, then exports the requested fields for the package command.MAC_RELEASE_OP_ACCOUNT defaults to my.1password.com; MAC_RELEASE_OP_VAULT, MAC_RELEASE_OP_TMUX_SESSION, MAC_RELEASE_OP_WAIT_SECONDS are optional. Without a vault, service-account token env is unset for that single op read so the personal desktop account handles it.MAC_RELEASE_CODESIGN_IDENTITY + MAC_RELEASE_CODESIGN_OP_ITEM + MAC_RELEASE_CODESIGN_KEYCHAIN_MANAGED=1 enable non-interactive Developer ID signing. The keychain must be replaceable, dedicated to release automation, separate from the default keychain, not shared with interactive use, and contain exactly one signing private key. The helper owns and may permanently normalize that key's partition ACL to apple-tool:,apple:,codesign:. After precheck, the same tmux credential pass reads keychain_path and keychain_password, takes a per-user release lock, supplies the password through a private file descriptor to a CLI PTY, prepends the keychain without hiding existing keychains, verifies a Developer ID Application canary, scopes package signing through a temporary codesign --keychain shim, then restores transient state, relocks, and releases the lock.MAC_RELEASE_CODESIGN_OP_ACCOUNT, MAC_RELEASE_CODESIGN_OP_VAULT, MAC_RELEASE_CODESIGN_OP_USE_SERVICE_ACCOUNT, MAC_RELEASE_CODESIGN_OP_PATH_FIELD, and MAC_RELEASE_CODESIGN_OP_PASSWORD_FIELD override the codesign credential item defaults; account, vault, and service-account mode otherwise inherit the primary item settings. Set vault empty and service-account mode 0 for a personal desktop-account item. MAC_RELEASE_CODESIGN_KEYCHAIN + MAC_RELEASE_CODESIGN_KEYCHAIN_PASSWORD may be supplied directly instead.MAC_RELEASE_RUN_LOGIN_SHELL=1 opts command hooks back into bash -lc; default hooks use env -u BASH_ENV bash -c so shell startup files cannot override exported release secrets.1Password rules:
op call if all MAC_RELEASE_OP_FIELDS are present.MAC_RELEASE_OP_USE_SERVICE_ACCOUNT=1.op reads in a fresh shell; rerun only from the same tmux session after explicit user direction.codesign-run instead of copying keychain setup into the repository. Supply the codesign manifest fields through .mac-release.env or explicit MAC_RELEASE_CODESIGN_* environment configuration. It loads only codesign credentials by default; pass --with-package-secrets when the wrapped release script also needs the configured package/notary fields in the same 1Password pass. It runs the bounded signing canary, scopes codesign through the managed-keychain shim, and restores/relocks before returning.codesign, spctl, and stapler validate.Unreleased in the app repo.