Require notarized GitHub release artifacts by default

[shiny-code-bot]

Objective

Make GitHub Release artifacts notarized by default when they are meant for direct user installation.

Finish Line

Public GitHub Release artifacts are signed and notarized unless explicitly marked validation-only.

Current Status

State: Active
Next action: Change the release workflow default so friend-installable GitHub releases request notarization by default, with an explicit validation-only escape hatch if kept.
Blocked by: None
Waiting for: Maintainer decision on whether ad-hoc GitHub releases should remain possible.
Last verified: 2026-05-28, v1.0.11 was published from 97238144f569d3298b804a5814293e87f1a19aef with notarize=true; release-metadata.json reports Developer ID signing, hardened runtime, and notarized: true.

Scope

• In: .github/workflows/release.yml, scripts/package-native-macos-app.sh behavior if needed, release metadata and notes clarity.
• Out: App Store Connect/TestFlight signing path.

Acceptance Criteria

• Public GitHub releases request notarization by default.
• If notarization is requested but required secrets are missing, the workflow fails before publishing a misleading release.
• Validation-only/ad-hoc artifacts remain possible only through explicit inputs and release notes label them clearly.
• release-metadata.json and GitHub release notes accurately state signing and notarization status.

Relationships

Part of the release hardening parent plan.

Validation

• Run workflow with notarization enabled on a test version or approved release.
• Confirm release-metadata.json reports notarized true.
• Confirm GitHub release notes describe the build as signed and notarized.

Decisions

• 2026-05-28: Direct GitHub downloads should be notarized for human-friendly installation.

Open Questions

• Should notarization be hard-required for all v* tag releases?