feat: add DMG release workflow

- Add create-dmg.sh script for building signed/notarized DMG
- Add release and release-local make targets
- Add GitHub Actions workflow for releases
- Add build/ to .gitignore

Author: webcpu

.github/workflows/release.yml

@@ -0,0 +1,104 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version number (e.g., 1.2.3)'
+        required: true
+        type: string
+
+permissions:
+  contents: write
+
+jobs:
+  build-and-release:
+    name: Build and Release
+    runs-on: macos-15
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Determine version
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "push" ]; then
+            VERSION="${GITHUB_REF#refs/tags/v}"
+          else
+            VERSION="${{ github.event.inputs.version }}"
+          fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Version: $VERSION"
+
+      - name: Install dependencies
+        run: brew install create-dmg
+
+      - name: Install Apple certificate
+        env:
+          CERTIFICATE_BASE64: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION_CERT_BASE64 }}
+          CERTIFICATE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION_CERT_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ github.run_id }}
+        run: |
+          # Create temporary keychain
+          KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          # Import certificate
+          CERT_PATH="$RUNNER_TEMP/certificate.p12"
+          echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"
+          security import "$CERT_PATH" \
+            -P "$CERTIFICATE_PASSWORD" \
+            -A \
+            -t cert \
+            -f pkcs12 \
+            -k "$KEYCHAIN_PATH"
+
+          # Allow codesign access without prompts
+          security set-key-partition-list -S apple-tool:,apple: \
+            -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+
+          # Add to search list (prepend to ensure it's found first)
+          security list-keychains -d user -s "$KEYCHAIN_PATH" login.keychain
+
+          # Verify certificate was imported
+          echo "Verifying certificate..."
+          security find-identity -v -p codesigning "$KEYCHAIN_PATH"
+
+      - name: Build and create DMG
+        env:
+          DEVELOPER_ID_APPLICATION: "Developer ID Application: Liang Yuan (${{ secrets.APPLE_TEAM_ID }})"
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+        run: |
+          chmod +x scripts/create-dmg.sh
+          ./scripts/create-dmg.sh --version "${{ steps.version.outputs.version }}"
+
+      - name: Upload DMG artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ClaudeCodeUsage-${{ steps.version.outputs.version }}
+          path: build/ClaudeCodeUsage.dmg
+          if-no-files-found: error
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          name: ClaudeCodeUsage v${{ steps.version.outputs.version }}
+          draft: false
+          prerelease: ${{ contains(steps.version.outputs.version, '-') }}
+          files: build/ClaudeCodeUsage.dmg
+          generate_release_notes: true
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Cleanup keychain
+        if: always()
+        run: |
+          security delete-keychain "$RUNNER_TEMP/app-signing.keychain-db" || true

.gitignore

@@ -66,3 +66,4 @@ fastlane/screenshots/**/*.png
 fastlane/test_output
 .DS_Store
 /CLAUDE.md
+build/

ClaudeCodeUsage.xcodeproj/project.pbxproj

@@ -37,7 +37,7 @@
 		ECF4102B2F03E6AD00DFC0C8 /* ClaudeCodeUsage.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = ClaudeCodeUsage.app; sourceTree = BUILT_PRODUCTS_DIR; };
 		ECF410382F03E6AE00DFC0C8 /* ClaudeCodeUsageTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = ClaudeCodeUsageTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; };
 		ECF410422F03E6AE00DFC0C8 /* ClaudeCodeUsageUITests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = ClaudeCodeUsageUITests.xctest; sourceTree = BUILT_PRODUCTS_DIR; };
-		ECF412B82F03F9B900DFC0C8 /* ClaudeCodeUsage.xctestplan */ = {isa = PBXFileReference; lastKnownFileType = file; path = ClaudeCodeUsage.xctestplan; sourceTree = "<group>"; };
+		ECF412B82F03F9B900DFC0C8 /* ClaudeCodeUsage.xctestplan */ = {isa = PBXFileReference; lastKnownFileType = text; path = ClaudeCodeUsage.xctestplan; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFileSystemSynchronizedRootGroup section */

Makefile

@@ -1,17 +1,19 @@
 # Makefile for ClaudeCodeUsage
 # Provides convenient commands for development
 
-.PHONY: help test test-core test-data test-ui clean format lint screenshot
+.PHONY: help test test-core test-data test-ui clean format lint screenshot release release-local
 
 # Default target
 help:
 	@echo "ClaudeCodeUsage Development Commands"
 	@echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-	@echo "  make test       - Run all tests"
-	@echo "  make screenshot - Capture UI previews to /tmp/ClaudeUsageUI/"
-	@echo "  make clean      - Clean build artifacts"
-	@echo "  make format     - Format code with swift-format"
-	@echo "  make lint       - Lint code with SwiftLint"
+	@echo "  make test          - Run all tests"
+	@echo "  make screenshot    - Capture UI previews to /tmp/ClaudeUsageUI/"
+	@echo "  make clean         - Clean build artifacts"
+	@echo "  make format        - Format code with swift-format"
+	@echo "  make lint          - Lint code with SwiftLint"
+	@echo "  make release       - Build signed/notarized DMG"
+	@echo "  make release-local - Build DMG (skip notarization)"
 
 # Run all tests
 test: test-core test-data test-ui
@@ -30,6 +32,7 @@ clean:
 	rm -rf Packages/ClaudeUsageCore/.build
 	rm -rf Packages/ClaudeUsageData/.build
 	rm -rf Packages/ClaudeUsageUI/.build
+	rm -rf build
 
 # Format code (requires swift-format)
 format:
@@ -51,3 +54,11 @@ lint:
 screenshot:
 	swift run --package-path Packages/ClaudeUsageUI PreviewCapture
 	@echo "Screenshots saved to /tmp/ClaudeUsageUI/"
+
+# Build signed and notarized DMG for distribution
+release:
+	@./scripts/create-dmg.sh
+
+# Build DMG without notarization (for local testing)
+release-local:
+	@./scripts/create-dmg.sh --skip-notarize