// macOS app release: Sparkle, notarization, GitHub Release, Homebrew, closeout.
OpenClaw session relay: prompts/posts via local/remote acpx over SSH.
Twilio SMS CLI: buy/list/keep numbers, send/check messages, credential routing.
Add a redacted agent transcript section to GitHub PR or issue bodies during OpenClaw agent-created PR/issue workflows.
Wrangler CLI: Workers, KV, tail, deploy, account routing.
Audit Codex/OpenClaw skills: loaded roots, duplicate skills, unused skills, prompt-budget costs, compact descriptions.
1Password/op: service-account first, targeted secret read/store/inject, tmux.
| name | release-mac-app |
| description | macOS app release: Sparkle, notarization, GitHub Release, Homebrew, closeout. |
Use for BlackBar, RepoBar, CodexBar, Trimmy, and similar Sparkle-updated macOS apps.
.mac-release.env; it is the repo-owned release manifest.scripts/mac-release from this skill for shared release/appcast/verify work.SPARKLE_PRIVATE_KEY_FILE is an explicit override only./Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release status
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release notes [version] [output.md]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release changelog-html <version> [CHANGELOG.md]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release make-appcast <zip> [feed-url]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release verify-appcast [version]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release check-assets [tag]
/Users/steipete/Projects/agent-scripts/skills/release-mac-app/scripts/mac-release release
Each repo owns .mac-release.env. It must contain no secrets.
Required:
MAC_RELEASE_APP_NAMEMAC_RELEASE_REPOMAC_RELEASE_BUNDLE_IDMAC_RELEASE_VERSION_FILEMAC_RELEASE_APPCASTMAC_RELEASE_FEED_URLMAC_RELEASE_DOWNLOAD_URL_PREFIXMAC_RELEASE_APP_ZIPMAC_RELEASE_INFO_PLIST or MAC_RELEASE_SUPUBLIC_ED_KEYMAC_RELEASE_PACKAGE_CMDCommon optional:
MAC_RELEASE_PRECHECKMAC_RELEASE_SOURCE_FILES (space-separated app helper files to source before expanding artifact names)MAC_RELEASE_DSYM_ZIPMAC_RELEASE_REQUIRE_DSYM=0 for app-only releasesMAC_RELEASE_ARTIFACT_PREFIXMAC_RELEASE_TAG_SIGNEDMAC_RELEASE_TAG_FORCEMAC_RELEASE_RELEASE_BRANCHMAC_RELEASE_SPARKLE_ACCOUNTMAC_RELEASE_SPARKLE_CHANNELMAC_RELEASE_GENERATE_APPCAST_ARGSMAC_RELEASE_RUN_SPARKLE_UPDATE_TESTMAC_RELEASE_SIGNING_KEY_FILE (local fallback path only; Keychain is used when the file is absent)MAC_RELEASE_EXTRA_ASSET_PATTERNSMAC_RELEASE_EXTRA_ASSET_WAIT_SECONDSMAC_RELEASE_EXTRA_ASSET_WAIT_INTERVALMAC_RELEASE_OP_ITEM + MAC_RELEASE_OP_FIELDS for required packaging secrets. The release helper reads the known item once via op inside one persistent tmux session, then exports the requested fields for the package command.MAC_RELEASE_OP_ACCOUNT defaults to my.1password.com; MAC_RELEASE_OP_VAULT, MAC_RELEASE_OP_TMUX_SESSION, MAC_RELEASE_OP_WAIT_SECONDS are optional. Without a vault, service-account token env is unset for that single op read so the personal desktop account handles it.MAC_RELEASE_RUN_LOGIN_SHELL=1 opts command hooks back into bash -lc; default hooks use env -u BASH_ENV bash -c so shell startup files cannot override exported release secrets.1Password rules:
op call if all MAC_RELEASE_OP_FIELDS are present.op item get inside tmux for the whole release.MAC_RELEASE_OP_USE_SERVICE_ACCOUNT=1.op reads in a fresh shell; rerun only from the same tmux session after explicit user direction.codesign, spctl, and stapler validate.Unreleased in the app repo.