lightdash
diff --git a/‎.envrc.example‎
Lines changed: 7 additions & 0 deletions b/‎.envrc.example‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 185 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 185 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 27 additions & 0 deletions b/‎.gitignore‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 132 additions & 0 deletions b/‎README.md‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎entitlements.plist‎
Lines changed: 25 additions & 0 deletions b/‎entitlements.plist‎
Lines changed: 25 additions & 0 deletions
@@ -0,0 +1,7 @@
+# Copy this file to .envrc and update with your values
+# If using direnv, run: direnv allow
+
+# Apple Developer credentials
+export DEVELOPER_ID="YOUR_DEVELOPER_ID"
+export BUNDLE_ID="com.yourcompany.yourapp"
+export KEYCHAIN_PROFILE="YOUR_KEYCHAIN_PROFILE"
@@ -0,0 +1,185 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build-and-release:
+    runs-on: macos-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10.12.1
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build binaries
+        run: pnpm build:binary
+
+      - name: Import signing certificate
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
+        run: |
+          # Create a temporary keychain
+          KEYCHAIN_NAME="build.keychain"
+          KEYCHAIN_PASSWORD="$(openssl rand -base64 32)"
+
+          # Create the keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
+
+          # Set the keychain as default
+          security default-keychain -s "$KEYCHAIN_NAME"
+
+          # Unlock the keychain
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
+
+          # Import certificate
+          echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
+          security import certificate.p12 -k "$KEYCHAIN_NAME" -P "$MACOS_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+
+          # Allow codesign to access the certificate without prompting
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
+
+          # Clean up
+          rm certificate.p12
+
+      - name: Sign binaries
+        env:
+          DEVELOPER_ID: ${{ secrets.DEVELOPER_ID }}
+          BUNDLE_ID: ${{ secrets.BUNDLE_ID }}
+        run: |
+          # Make binaries executable
+          chmod +x bin/hello-lightdash-x64
+          chmod +x bin/hello-lightdash-arm64
+
+          # Sign both binaries
+          codesign -s "$DEVELOPER_ID" -f --timestamp -o runtime \
+            -i "$BUNDLE_ID" --entitlements entitlements.plist \
+            bin/hello-lightdash-x64
+
+          codesign -s "$DEVELOPER_ID" -f --timestamp -o runtime \
+            -i "$BUNDLE_ID" --entitlements entitlements.plist \
+            bin/hello-lightdash-arm64
+
+          # Verify signatures
+          codesign --verify --verbose bin/hello-lightdash-x64
+          codesign --verify --verbose bin/hello-lightdash-arm64
+
+      - name: Notarize binaries
+        env:
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: |
+          # Store notarization credentials
+          xcrun notarytool store-credentials "CI_NOTARIZE" \
+            --apple-id "$APPLE_ID" \
+            --team-id "$APPLE_TEAM_ID" \
+            --password "$APPLE_PASSWORD"
+
+          # Create temporary directory for zips
+          mkdir -p notarize-temp
+
+          # Function to notarize a binary
+          notarize_binary() {
+            local BINARY_NAME=$1
+            local ZIP_PATH="notarize-temp/${BINARY_NAME}.zip"
+
+            echo "Notarizing ${BINARY_NAME}..."
+
+            # Create zip for notarization
+            ditto -c -k --keepParent "bin/${BINARY_NAME}" "$ZIP_PATH"
+
+            # Submit for notarization and wait
+            xcrun notarytool submit "$ZIP_PATH" \
+              --keychain-profile "CI_NOTARIZE" \
+              --wait
+
+            # Check status
+            if [ $? -eq 0 ]; then
+              echo "✓ Notarization successful for ${BINARY_NAME}"
+            else
+              echo "✗ Notarization failed for ${BINARY_NAME}"
+              exit 1
+            fi
+          }
+
+          # Notarize both binaries
+          notarize_binary "hello-lightdash-x64"
+          notarize_binary "hello-lightdash-arm64"
+
+          # Clean up
+          rm -rf notarize-temp
+
+      - name: Create release archives
+        run: |
+          # Get version from tag
+          VERSION=${GITHUB_REF#refs/tags/}
+
+          # Create archives for each architecture
+          tar -czf "hello-lightdash-${VERSION}-macos-x64.tar.gz" -C bin hello-lightdash-x64
+          tar -czf "hello-lightdash-${VERSION}-macos-arm64.tar.gz" -C bin hello-lightdash-arm64
+
+          # Create checksums
+          shasum -a 256 hello-lightdash-*.tar.gz > checksums.txt
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          draft: false
+          prerelease: false
+          generate_release_notes: true
+          files: |
+            hello-lightdash-*.tar.gz
+            checksums.txt
+          body: |
+            ## Downloads
+
+            ### macOS
+            - **Apple Silicon (M1/M2/M3):** `hello-lightdash-${{ github.ref_name }}-macos-arm64.tar.gz`
+            - **Intel:** `hello-lightdash-${{ github.ref_name }}-macos-x64.tar.gz`
+
+            ### Installation
+
+            ```bash
+            # Download and extract (replace with your architecture)
+            tar -xzf hello-lightdash-${{ github.ref_name }}-macos-arm64.tar.gz
+
+            # Make executable (if needed)
+            chmod +x hello-lightdash-arm64
+
+            # Run
+            ./hello-lightdash-arm64
+            ```
+
+            ### Verification
+
+            The binaries are signed and notarized by Apple. To verify:
+            ```bash
+            codesign --verify --verbose hello-lightdash-arm64
+            ```
+
+            ### Checksums
+
+            Verify download integrity:
+            ```bash
+            shasum -a 256 -c checksums.txt
+            ```
@@ -0,0 +1,27 @@
+# Dependencies
+node_modules/
+
+# Build outputs
+dist/
+build/
+bin/
+
+# IDE
+.vscode/
+.idea/
+
+# OS
+.DS_Store
+
+# Logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+
+# Environment
+.env
+.env.local
+.env.*.local
+.envrc
@@ -0,0 +1,132 @@
+# hello-lightdash-binary-example
+
+TypeScript app that compiles to standalone macOS binaries.
+
+## Structure
+
+- `src/` - TypeScript source
+- `dist/` - TypeScript compilation output
+- `build/` - Bundled single-file JavaScript
+- `bin/` - Final binary executables
+
+## Commands
+
+```bash
+pnpm dev          # Run TypeScript directly
+pnpm build        # Compile TS → JS
+pnpm build:binary # Full build → binary
+```
+
+## Binary Compilation Process
+
+1. **TypeScript → JavaScript** (`tsc`)
+   Compiles to CommonJS in `dist/`
+
+2. **Bundle dependencies** (`@vercel/ncc`)
+   Creates single-file bundle in `build/` with all node_modules included
+
+3. **JavaScript → Binary** (`@yao-pkg/pkg`)
+   Packages Node.js runtime + bundled code into standalone executables
+
+## Output
+
+Creates two binaries in `bin/`:
+- `hello-lightdash-arm64` - Apple Silicon (~46MB)
+- `hello-lightdash-x64` - Intel Macs (~51MB)
+
+These run without Node.js installed. Each binary contains:
+- Node.js runtime (v20)
+- Your bundled application code
+- All dependencies
+
+## Code Signing & Notarization
+
+For macOS distribution without Gatekeeper warnings:
+
+### 1. Code Sign
+```bash
+pnpm codesign
+```
+Signs both binaries with Developer ID and Bundle ID configured in `scripts/codesign.sh`.
+
+### 2. Notarize
+```bash
+pnpm notarize
+```
+Submits binaries to Apple for notarization and staples the ticket for offline verification.
+
+### Setup (one-time)
+
+1. Copy `.envrc.example` to `.envrc` and update with your credentials
+2. If using direnv: `direnv allow`
+3. Store Apple credentials in keychain:
+```bash
+xcrun notarytool store-credentials "AppPasswordCodesignNotarize" \
+  --apple-id "[email protected]" \
+  --team-id "AF5SF5H727" \
+  --password "app-specific-password"
+```
+
+Generate app-specific password at [appleid.apple.com](https://appleid.apple.com).
+
+### Verify
+```bash
+spctl -a -v bin/hello-lightdash-x64
+spctl -a -v bin/hello-lightdash-arm64
+```
+
+## Distribution
+
+Ship the appropriate binary for the target architecture. No installation required - users just run the executable.
+
+## Testing
+
+To check gatekeeper locally, force the quarantine attribute:
+
+```
+xattr -w com.apple.quarantine "0083;$(date +%s);Safari;F643CD5F-6071-46AB-83AB-390BA944DEC5" /path/to/your/binary
+```
+
+## CI/CD - GitHub Actions
+
+The release workflow automatically builds, signs, notarizes, and publishes binaries when you push a version tag:
+
+```bash
+git tag v1.0.0
+git push origin v1.0.0
+```
+
+### Required GitHub Secrets
+
+Configure these in your repository settings:
+
+1. **MACOS_CERTIFICATE** - Base64 encoded p12 certificate
+   ```bash
+   base64 -i DeveloperIDApplication.p12 | pbcopy
+   ```
+
+2. **MACOS_CERTIFICATE_PASSWORD** - Password for the p12 certificate
+
+3. **DEVELOPER_ID** - Your Developer ID (e.g., "Developer ID Application: Name (TEAMID)")
+
+4. **BUNDLE_ID** - Your bundle identifier (e.g., "com.company.app")
+
+5. **APPLE_ID** - Your Apple ID email
+
+6. **APPLE_PASSWORD** - App-specific password for notarization
+
+7. **APPLE_TEAM_ID** - Your Apple Team ID (e.g., "AF5SF5H727")
+
+### Export Certificate for CI
+
+To export your Developer ID certificate:
+```bash
+# Find your certificate
+security find-identity -v -p codesigning
+
+# Export to p12 (replace with your identity)
+security export -k ~/Library/Keychains/login.keychain-db \
+  -t identities -f pkcs12 -o DeveloperIDApplication.p12 \
+  -P "your-password-here" \
+  -T /usr/bin/codesign
+```
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!-- Allow JIT compilation for V8 JavaScript engine -->
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+
+    <!-- Allow unsigned executable memory for V8 -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+
+    <!-- Allow DYLD environment variables -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+
+    <!-- Disable library validation to allow loading of unsigned libraries -->
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+
+    <!-- Disable executable memory protection -->
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+</dict>
+</plist>