Set up production release credentials and code signing

[JanJakes]

Summary

ForkPress release automation can now prepare release PRs, build and publish GitHub release artifacts, and update Automattic/homebrew-tap. The remaining production setup is to replace personal test credentials with durable bot-owned credentials and to decide/configure platform code signing.

GitHub automation credentials

• Create or choose a durable Automattic-owned bot/machine account for release automation, for example matticbot or another approved account.
• Configure RELEASE_PREPARE_TOKEN in Automattic/forkpress repository Actions secrets.
  • Purpose: used by Release: prepare to create the release/vX.Y.Z branch and PR.
  • Suggested fine-grained PAT access: Automattic/forkpress only, with Contents read/write and Pull requests read/write.
  • Why not only GITHUB_TOKEN: PRs created with GITHUB_TOKEN may not trigger PR checks without manual intervention.
• Configure HOMEBREW_TAP_TOKEN in Automattic/forkpress repository Actions secrets.
  • Purpose: used by Release: publish to checkout and push forkpress.rb to Automattic/homebrew-tap.
  • Suggested fine-grained PAT access: Automattic/homebrew-tap only, with Contents read/write.
  • Confirm whether direct pushes to master are acceptable for this tap. If not, change the workflow to open a tap PR instead.
• Confirm repository Actions settings allow the default GITHUB_TOKEN to create release tags and GitHub releases from the publish workflow.
  • The workflow job currently requests contents: write for tag/release creation.

Code signing

Windows

Windows signing is implemented but currently optional.

• Obtain the production Windows code-signing certificate for ForkPress/Automattic.
• Export it as a password-protected PFX suitable for Authenticode signing on GitHub-hosted Windows runners.
• Add WINDOWS_CODESIGN_CERT_BASE64 to Automattic/forkpress Actions secrets.
  • Value should be the base64-encoded PFX bytes.
• Add WINDOWS_CODESIGN_PASSWORD to Automattic/forkpress Actions secrets.
  • Value should be the PFX password.
• Re-enable strict Windows signing before considering Windows artifacts production-trusted.
  • Current workflow warns and publishes unsigned Windows artifacts when these secrets are missing.
  • Signing is applied to both forkpress.exe and ForkPressSetup.exe when both secrets exist.

macOS

macOS release artifacts are not currently Developer ID signed or notarized. The build only does ad-hoc signing where needed for local macOS binary execution during packaging.

• Decide whether ForkPress macOS tarball binaries need Developer ID signing and notarization.
• If yes, add workflow support and secrets for Apple Developer ID signing/notarization.
  • Likely required secrets: Developer ID Application certificate, certificate password, Apple team ID, and App Store Connect API credentials or notarization credentials.
  • Add codesign/notary validation before artifact upload.

Linux

Linux artifacts are not currently signed beyond GitHub release checksums.

• Decide whether SHA256SUMS are sufficient for now.
• If stronger provenance is required, add artifact signing/attestation, for example Sigstore/cosign, minisign, or GitHub artifact attestations.

Acceptance criteria

• Release: prepare can be run without a personal PAT and creates release PRs whose checks run automatically.
• Release: publish can update Automattic/homebrew-tap without a personal PAT.
• Windows release artifacts are signed, or the unsigned-artifact policy is explicitly accepted for the current release phase.
• macOS signing/notarization requirements are decided and either implemented or intentionally deferred.
• Token ownership, rotation/expiration, and recovery expectations are documented.