From fc4e382099720ff073c8befb496883bfa8c2290e Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Wed, 3 Jun 2026 16:35:40 -0400
Subject: [PATCH 1/3] feat: sign gro darwin binaries with a stable code-signing
 identity

Add the darwin hooks.post to the gro-darwin build (centralized codesign-darwin.sh
via $CODESIGN_DARWIN_SCRIPT), forward the four macos-cert-* secrets, and bump
version.txt to 1.1 so the merge cuts a signed release.

Closes #154
---
 .github/workflows/release.yml | 4 ++++
 .goreleaser.yaml              | 7 +++++++
 version.txt                   | 2 +-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 33a662c..d71dd1a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -36,3 +36,7 @@ jobs:
       chocolatey-api-key: ${{ secrets.CHOCOLATEY_API_KEY }}
       winget-token: ${{ secrets.WINGET_GITHUB_TOKEN }}
       linux-dispatch-token: ${{ secrets.LINUX_PACKAGES_DISPATCH_TOKEN }}
+      macos-cert-p12: ${{ secrets.MACOS_CERT_P12 }}
+      macos-cert-password: ${{ secrets.MACOS_CERT_PASSWORD }}
+      macos-cert-cn: ${{ secrets.MACOS_CERT_CN }}
+      macos-cert-leaf-sha: ${{ secrets.MACOS_CERT_LEAF_SHA }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index ec74aa6..13f7677 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -42,6 +42,13 @@ builds:
       - -X github.com/open-cli-collective/google-readonly/internal/version.Version={{.Version}}
       - -X github.com/open-cli-collective/google-readonly/internal/version.Commit={{.Commit}}
       - -X github.com/open-cli-collective/google-readonly/internal/version.Date={{.Date}}
+    # macOS code-signing — stable DR so Keychain "Always Allow" survives brew upgrade
+    # (cli-common distribution.md §2A). Logic + identity live in open-cli-collective/.github
+    # (macos-codesign-setup), which exports CODESIGN_DARWIN_SCRIPT (absolute). Unset in
+    # local builds → signing skipped.
+    hooks:
+      post:
+        - cmd: bash -c 'f="${CODESIGN_DARWIN_SCRIPT:-}"; [ -n "$f" ] && [ -x "$f" ] && exec "$f" "$0" "$1"; echo "skip codesign (no CODESIGN_DARWIN_SCRIPT)"' "{{ .Path }}" "{{ .Os }}"
   - id: gro-unix-win
     main: ./cmd/gro
     binary: gro
diff --git a/version.txt b/version.txt
index d3827e7..9459d4b 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-1.0
+1.1

From d4cd180140c7473565b07ce8dc049fca4dabd69a Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Wed, 3 Jun 2026 16:37:25 -0400
Subject: [PATCH 2/3] docs: correct stale 'unsigned' cask comment now that gro
 is signed

---
 .goreleaser.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 13f7677..f840956 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -101,7 +101,8 @@ nfpms:
       - src: LICENSE
         dst: /usr/share/licenses/google-readonly/LICENSE
 
-# Canonical Homebrew cask with auto-quarantine removal for unsigned binaries.
+# Canonical Homebrew cask with auto-quarantine removal for non-notarized binaries
+# (the darwin binary is code-signed per cli-common distribution.md §2A, not notarized).
 # skip_upload: true → goreleaser RENDERS the cask into dist/ but does NOT push
 # it; the reusable release workflow's homebrew step is the single atomic tap
 # writer. No `token:` here — the tap token belongs only to that writer, and

From d11897f743e8ad6e5553b241ba80562cbacb5afe Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Wed, 3 Jun 2026 16:41:45 -0400
Subject: [PATCH 3/3] fix: make the darwin codesign hook fail loud on a broken
 script

Keep unset CODESIGN_DARWIN_SCRIPT a no-op (local builds), but if it is set yet
missing/non-executable, fail the build with a clear message instead of silently
skipping and shipping an unsigned binary (caught later by darwin-gate).
---
 .goreleaser.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index f840956..d74cf45 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -48,7 +48,7 @@ builds:
     # local builds → signing skipped.
     hooks:
       post:
-        - cmd: bash -c 'f="${CODESIGN_DARWIN_SCRIPT:-}"; [ -n "$f" ] && [ -x "$f" ] && exec "$f" "$0" "$1"; echo "skip codesign (no CODESIGN_DARWIN_SCRIPT)"' "{{ .Path }}" "{{ .Os }}"
+        - cmd: bash -c 'f="${CODESIGN_DARWIN_SCRIPT:-}"; if [ -z "$f" ]; then echo "skip codesign (CODESIGN_DARWIN_SCRIPT unset, local build)"; exit 0; fi; [ -x "$f" ] || { echo "CODESIGN_DARWIN_SCRIPT not executable ($f)" >&2; exit 1; }; exec "$f" "$0" "$1"' "{{ .Path }}" "{{ .Os }}"
   - id: gro-unix-win
     main: ./cmd/gro
     binary: gro