[CI] MacOS codesignging + notarization

.github/workflows/ci.yml

@@ -116,14 +116,9 @@ jobs:
     - name: Run shellcheck
       run: ./scripts/ci-run-shellcheck.sh
 
-  ci:
+  ci-linux:
     needs: [tag, clang-format, cppcheck, shellcheck]
-
-    strategy:
-      matrix:
-        os: [ubuntu-22.04, macos-13, macos-14]
-
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-22.04
     timeout-minutes: 15
 
     env:
@@ -133,23 +128,13 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v4
 
-    - name: Set up Linux
-      if: runner.os == 'Linux'
+    - name: Set up apt dependencies
       run: |
         sudo apt update
         sudo apt install -y rpm alien tmux
         sudo apt remove -y jq
 
-    - name: Set up macOS (AMD64 and ARM64)
-      if: runner.os == 'macOS'
-      run: |
-        brew install --quiet coreutils tree autoconf automake libtool tmux sqlite3
-        brew uninstall jq
-
-    # --- Build ---
-
     - name: Build on Linux (${{ env.AMD64_LINUX_GCC }})
-      if: runner.os == 'Linux'
       env:
         PREFIX: ${{ env.AMD64_LINUX_GCC }}
         CC: gcc
@@ -161,7 +146,6 @@ jobs:
         ./scripts/ci-create-rpm-package.sh
 
     - name: Build on Linux (${{ env.AMD64_LINUX_CLANG }})
-      if: runner.os == 'Linux'
       env:
         PREFIX: ${{ env.AMD64_LINUX_CLANG }}
         CC: clang
@@ -172,26 +156,6 @@ jobs:
         ./scripts/ci-create-debian-package.sh
         ./scripts/ci-create-rpm-package.sh
 
-    - name: Build on macOS (${{ env.AMD64_MACOSX_GCC }})
-      if: matrix.os == 'macos-13'
-      env:
-        PREFIX: ${{ env.AMD64_MACOSX_GCC }}
-        CC: gcc-13
-        MAKE: make
-        RUN_TESTS: true
-      run: ./scripts/ci-build.sh
-
-    - name: Build on macOS (${{ env.ARM64_MACOSX_GCC }})
-      if: matrix.os == 'macos-14'
-      env:
-        PREFIX: ${{ env.ARM64_MACOSX_GCC }}
-        CC: gcc-13
-        MAKE: make
-        RUN_TESTS: true
-      run: ./scripts/ci-build.sh
-
-    # --- Upload build artifacts ---
-
     - name: Prepare build artifacts for upload
       run: ./scripts/ci-prepare-artifacts-for-upload.sh
 
@@ -206,7 +170,6 @@ jobs:
       run: ./scripts/ci-verify-attestations.sh
 
     - name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.zip)
-      if: runner.os == 'Linux'
       uses: actions/upload-artifact@v4
       env:
         ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.zip
@@ -217,7 +180,6 @@ jobs:
         if-no-files-found: error
 
     - name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.zip)
-      if: runner.os == 'Linux'
       uses: actions/upload-artifact@v4
       env:
         ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.zip
@@ -228,7 +190,6 @@ jobs:
         if-no-files-found: error
 
     - name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.deb)
-      if: runner.os == 'Linux'
       uses: actions/upload-artifact@v4
       env:
         ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.deb
@@ -239,7 +200,6 @@ jobs:
         if-no-files-found: error
 
     - name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.deb)
-      if: runner.os == 'Linux'
       uses: actions/upload-artifact@v4
       env:
         ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.deb
@@ -250,7 +210,6 @@ jobs:
         if-no-files-found: error
 
     - name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.rpm)
-      if: runner.os == 'Linux'
       uses: actions/upload-artifact@v4
       env:
         ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.rpm
@@ -261,7 +220,6 @@ jobs:
         if-no-files-found: error
 
     - name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.rpm)
-      if: runner.os == 'Linux'
       uses: actions/upload-artifact@v4
       env:
         ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.rpm
@@ -271,30 +229,7 @@ jobs:
         retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}
         if-no-files-found: error
 
-    - name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_MACOSX_GCC }}.zip)
-      if: matrix.os == 'macos-13'
-      uses: actions/upload-artifact@v4
-      env:
-        ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_MACOSX_GCC }}.zip
-      with:
-        name: ${{ env.ARTIFACT_NAME }}
-        path: ${{ env.ARTIFACT_DIR }}/${{ env.ARTIFACT_NAME }}
-        retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}
-        if-no-files-found: error
-
-    - name: Upload (zsv-${{ env.TAG }}-${{ env.ARM64_MACOSX_GCC }}.zip)
-      if: matrix.os == 'macos-14'
-      uses: actions/upload-artifact@v4
-      env:
-        ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.ARM64_MACOSX_GCC }}.zip
-      with:
-        name: ${{ env.ARTIFACT_NAME }}
-        path: ${{ env.ARTIFACT_DIR }}/${{ env.ARTIFACT_NAME }}
-        retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}
-        if-no-files-found: error
-
     - name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.tar.gz)
-      if: runner.os == 'Linux'
       uses: actions/upload-artifact@v4
       env:
         ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.tar.gz
@@ -305,7 +240,6 @@ jobs:
         if-no-files-found: error
 
     - name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.tar.gz)
-      if: runner.os == 'Linux'
       uses: actions/upload-artifact@v4
       env:
         ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.tar.gz
@@ -315,22 +249,72 @@ jobs:
         retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}
         if-no-files-found: error
 
-    - name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_MACOSX_GCC }}.tar.gz)
-      if: matrix.os == 'macos-13'
-      uses: actions/upload-artifact@v4
+    - name: Upload release artifacts
+      if: startsWith(github.ref, 'refs/tags/v')
+      run: ./scripts/ci-upload-release-artifacts.sh
+
+  ci-macos:
+    needs: [tag, clang-format, cppcheck, shellcheck]
+
+    strategy:
+      matrix:
+        os: [macos-13, macos-14]
+
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 30
+
+    env:
+      TAG: ${{ needs.tag.outputs.TAG }}
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Set up homebrew dependencies
+      run: brew install --quiet coreutils tree autoconf automake libtool tmux sqlite3
+
+    - name: Set PREFIX and ZIP env var
       env:
-        ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_MACOSX_GCC }}.tar.gz
+        PREFIX: ${{ runner.arch == 'X64' && env.AMD64_MACOSX_GCC || env.ARM64_MACOSX_GCC }}
+      run: |
+        {
+          echo "PREFIX=$PREFIX"
+          echo "ZIP=zsv-$TAG-$PREFIX.zip"
+        } | tee -a "$GITHUB_ENV"
+
+    - name: Build on macOS (${{ env.AMD64_MACOSX_GCC }})
+      env:
+        CC: gcc-13
+        MAKE: make
+        RUN_TESTS: true
+        SKIP_TAR_ARCHIVE: true
+      run: ./scripts/ci-build.sh
+
+    - name: Prepare build artifacts for upload
+      run: ./scripts/ci-prepare-artifacts-for-upload.sh
+
+    - name: Codesign and notarize (${{ env.PREFIX }})
+      if: startsWith(github.ref, 'refs/tags/v')
+      env:
+        MACOS_CERT_P12: ${{ secrets.MACOS_CERT_P12 }}
+        MACOS_CERT_PASSWORD: ${{ secrets.MACOS_CERT_PASSWORD }}
+        APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+      run: ./scripts/ci-macos-codesign-and-notarize.sh "$PWD/$ARTIFACT_DIR/$ZIP"
+
+    - name: Attest build artifacts for release
+      if: startsWith(github.ref, 'refs/tags/v')
+      uses: actions/attest-build-provenance@v2
       with:
-        name: ${{ env.ARTIFACT_NAME }}
-        path: ${{ env.ARTIFACT_DIR }}/${{ env.ARTIFACT_NAME }}
-        retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}
-        if-no-files-found: error
+        subject-path: ${{ env.ARTIFACT_DIR }}/*
+
+    - name: Verify attestations of release artifacts
+      if: startsWith(github.ref, 'refs/tags/v')
+      run: ./scripts/ci-verify-attestations.sh
 
-    - name: Upload (zsv-${{ env.TAG }}-${{ env.ARM64_MACOSX_GCC }}.tar.gz)
-      if: matrix.os == 'macos-14'
+    - name: Upload (${{ env.ZIP }})
       uses: actions/upload-artifact@v4
       env:
-        ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.ARM64_MACOSX_GCC }}.tar.gz
+        ARTIFACT_NAME: ${{ env.ZIP }}
       with:
         name: ${{ env.ARTIFACT_NAME }}
         path: ${{ env.ARTIFACT_DIR }}/${{ env.ARTIFACT_NAME }}
@@ -710,7 +694,7 @@ jobs:
       with:
         path: playground
 
-  deploy-playground:
+  deploy-wasm-playground:
     if: ${{ github.ref_name == 'main' }}
     needs: ci-wasm
     runs-on: ubuntu-22.04