[CI] Staple .app inside dmg

[Eism]

Attempt to fix

macOS stable build: https://github.com/musescore/MuseScore/actions/runs/26501419475

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 70ea41f5-bf18-4f9e-9467-dc3fb88fcd34

📥 Commits

Reviewing files that changed from the base of the PR and between 1786e97 and 2fb4d6a.

📒 Files selected for processing (4)

• .github/workflows/build_macos.yml
• buildscripts/ci/macos/notarize.sh
• buildscripts/ci/macos/package.sh
• buildscripts/packaging/macOS/package.sh

🚧 Files skipped from review as they are similar to previous changes (4)

• buildscripts/ci/macos/notarize.sh
• buildscripts/ci/macos/package.sh
• buildscripts/packaging/macOS/package.sh
• .github/workflows/build_macos.yml

---

📝 Walkthrough

Walkthrough

This PR extends the macOS build pipeline to support parameterized Apple Team ID and notarization credentials. Previously, the team ID was hardcoded in notarize.sh and notarization was not performed during packaging. The workflow now defines APPLE_TEAM_ID as an environment variable and conditionally passes notarization credentials (username and password) to the packaging and notarization scripts. The notarize.sh script now requires --team-id as an parameter instead of using a hardcoded value. The CI package wrapper script forwards the Team ID and credentials to the final packaging script. The packaging script implements a conditional notarization flow that submits the app to Apple, waits for completion, staples the notarization, and validates the result when credentials are provided.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is minimal and incomplete. It lacks a detailed explanation of the changes, motivation, issue reference, and omits all required checklist items from the template.	Replace the description with a comprehensive explanation of the CI/packaging changes, reference the issue being fixed, and include all checklist items from the template. Add details about why stapling the app addresses the macOS security warning shown in the screenshot.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[CI] Staple .app inside dmg' clearly and specifically describes the main change—adding macOS app notarization stapling inside the DMG packaging process to address Gatekeeper security warnings.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci_macos_staple_app

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build_macos.yml:
- Line 246: The notarize invocation passes unquoted shell variables which can
cause word-splitting/globbing; update the bash call to pass the USER and PW
variables to notarize.sh with double quotes around each variable (i.e., quote
both $USER and $PW in the -u and -p arguments) so they are treated as single
arguments when invoking notarize.sh.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2d1b5755-66e3-40e3-a444-4b216543276a

📥 Commits

Reviewing files that changed from the base of the PR and between 28da5ee and 1786e97.

📒 Files selected for processing (4)

• .github/workflows/build_macos.yml
• buildscripts/ci/macos/notarize.sh
• buildscripts/ci/macos/package.sh
• buildscripts/packaging/macOS/package.sh

[Jojo-Schmitz]

Is this supposed to fix https://musescore.org/en/node/392826 ?

[Eism]

@Jojo-Schmitz I hope so

[DmitryArefiev]

Tested on Mac13.7.8 (M1). Still occurs on my side (I used web file storage and downloaded via Chrome to imitate downloading from web site)