Revert macOS signing workaround now that GoReleaser ships TeamID fix

[jeremy]

What

Revert the macOS signing/notarize workaround from #392 now that GoReleaser
v2.15.4 ships a synced goreleaser/quill with the TeamIdentifier fix.

Closes #393.

Why

GoReleaser v2.15.4 (2026-04-21) bumps goreleaser/quill to commit
a259ef5caf05 (goreleaser/goreleaser#6577),
descended from c6251429a432 ("chore: sync with anchore/quill upstream",
goreleaser/quill#2). The synced
tree contains the TeamID fix from anchore/quill v0.7.0
(anchore/quill#669) — quill/sign/code_directory.go
now writes the team identifier and sets TeamOffset on the
CodeDirectoryHeader.

With the upstream fix in place, the workaround is redundant. Signing and
notarization can return to a single wait-blocking GoReleaser call instead of a
separate sign-via-quill build hook plus post-publish notarize step. This
eliminates the publish/notarize race window described in the prior tradeoffs
section and shrinks the release workflow significantly.

Changes

• .goreleaser.yaml — drop the scripts/sign-darwin.sh build hook;
  restore the native notarize.macos block with an env-gated enabled
  template (local dev with no secrets stays signing-free; CI's hard Verify macOS signing secrets step still fails fast when secrets are missing).
• scripts/sign-darwin.sh — deleted.
• .github/workflows/release.yml — remove the quill install, credential
  prep, separate notarize, and credential cleanup steps; restore MACOS_* env
  vars on the GoReleaser step; drop --skip=notarize; bump GoReleaser action
  v2.14.1 → v2.15.4.
• .mise.toml — pin goreleaser = "2.15.4" so local make test-release
  matches CI; sync comment cross-references the workflow pin.
• RELEASING.md — rewrite the macOS signing bullet; drop the "macOS
  signing tradeoffs" section.

The macos-verify post-release job (TeamIdentifier + hardened-runtime +
spctl assertions) is signing-method-agnostic and stays in place as ongoing
CI coverage.

Testing

• goreleaser check against pinned v2.15.4 — config valid
• make test-release (snapshot with MACOS_* cleared) — notarize pipe
  correctly skipped (reason=disabled), confirming the enabled template
  gate
• bin/ci green (formatting, vet, lint, unit, 305 BATS e2e, naming,
  surface, skill drift, bare-group convention, SDK provenance)
• End-to-end on a prerelease tag — confirm Run GoReleaser emits
  Successfully notarized per darwin binary, macos-verify matrix
  (amd64 + arm64) passes the TeamIdentifier (2WNYUYRS7G) and hardened-runtime
  assertions, and the warn-only spctl step shows accepted /
  Notarized Developer ID in its log
• Manual: codesign -dv --verbose=4 on a downloaded prerelease binary
  shows TeamIdentifier=2WNYUYRS7G and flags=0x10000(runtime)

---

Summary by cubic

Reverts the macOS signing workaround and returns to goreleaser’s built‑in sign + notarize flow now that v2.15.4 embeds goreleaser/quill with the TeamIdentifier fix. Removes the post‑publish notarize step and simplifies the release workflow.

• Dependencies

  • Bump goreleaser to v2.15.4 in the action; pin the same CLI version in .mise.toml and clarify the sync comment refers to the CLI version (not the action).

• Refactors

  • Remove scripts/sign-darwin.sh and its build hook in .goreleaser.yaml.
  • Re-enable notarize.macos with env-gated enabled; sign via P12, notarize with issuer/key IDs, wait: true (20m timeout).
  • Simplify release.yml: drop quill install and separate notarize; restore MACOS_* env; remove --skip=notarize.
  • Update RELEASING.md to reflect the built-in flow; remove the tradeoffs section.
  • Keep macos-verify post-release checks for TeamIdentifier, hardened runtime, and notarization.

^{Written for commit 682fc09. Summary will update on new commits.}

[github-actions]

Sensitive Change Detection (shadow mode)

This PR modifies control-plane files:

• .github/workflows/release.yml
• .goreleaser.yaml

Shadow mode — this check is informational only. When activated, changes to these paths will require approval from a maintainer.

[Copilot]

Pull request overview

Reverts the macOS signing/notarization workaround (custom quill-based hook + post-publish notarize) now that GoReleaser v2.15.4’s embedded goreleaser/quill includes the TeamIdentifier fix, restoring a single wait-blocking GoReleaser notarize flow.

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Changes:

• Remove the custom darwin signing hook/script and reinstate GoReleaser’s built-in notarize.macos configuration (env-gated).
• Simplify the release workflow by dropping quill install/credential prep/manual notarize/cleanup and running GoReleaser with macOS secrets.
• Pin GoReleaser v2.15.4 for both CI and local tooling; update release docs accordingly.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
.goreleaser.yaml	Removes build hook signing and restores built-in notarize.macos with env-gated enablement.
.github/workflows/release.yml	Removes manual quill/notarize steps, passes MACOS_* secrets to GoReleaser, and bumps GoReleaser version pin.
.mise.toml	Pins local GoReleaser version to match CI.
RELEASING.md	Updates release process documentation to reflect built-in GoReleaser notarization and removes the prior tradeoffs section.
scripts/sign-darwin.sh	Deletes the no-longer-needed custom macOS signing hook script.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.