make gatekeeper assessment optional

.gitea/workflows/custom-release.yml

@@ -18,7 +18,7 @@ on:
         description: "Optional upstream Syncthing tag, for example v2.1.0"
         required: false
       suffix:
-        description: "Optional custom release suffix, for example stignore.6"
+        description: "Optional custom release suffix, for example stignore.7"
         required: false
   schedule:
     - cron: "17 04 * * *"
@@ -120,6 +120,7 @@ jobs:
           CUSTOM_RELEASE_REMOTE: origin
           CUSTOM_RELEASE_BUILDS: "darwin/arm64/zip/1 linux/amd64/tar/0 linux/arm64/tar/0"
           CUSTOM_RELEASE_CODESIGN_TEAM_ID: "NG5W75WE8U"
+          CUSTOM_RELEASE_REQUIRE_GATEKEEPER_ASSESSMENT: "0"
           CUSTOM_RELEASE_CREATE_GITEA_RELEASE: "1"
           CUSTOM_RELEASE_TEA_REPO: felixfoertsch/syncthing
 

scripts/tests/test-custom-release-macos-runner.bats

@@ -156,7 +156,7 @@ setup() {
 	[ "$status" -eq 0 ]
 }
 
-@test "custom release validates darwin binaries before publishing" {
+@test "custom release validates signed darwin binaries before publishing" {
 	run rg -n 'modernc-sqlite' "$RELEASE_SCRIPT"
 	[ "$status" -eq 0 ]
 
@@ -166,6 +166,15 @@ setup() {
 	run rg -n 'TeamIdentifier=NG5W75WE8U|TeamIdentifier.*NG5W75WE8U' "$RELEASE_SCRIPT"
 	[ "$status" -eq 0 ]
 
+	run rg -n 'CUSTOM_RELEASE_REQUIRE_GATEKEEPER_ASSESSMENT: "0"' "$WORKFLOW"
+	[ "$status" -eq 0 ]
+
+	run rg -n 'require_gatekeeper_assessment="\$\{CUSTOM_RELEASE_REQUIRE_GATEKEEPER_ASSESSMENT:-0\}"' "$RELEASE_SCRIPT"
+	[ "$status" -eq 0 ]
+
+	run rg -n 'if \[\[ "\$require_gatekeeper_assessment" == "1" \]\]; then' "$RELEASE_SCRIPT"
+	[ "$status" -eq 0 ]
+
 	run rg -n 'spctl -a -vv --type execute' "$RELEASE_SCRIPT"
 	[ "$status" -eq 0 ]
 }

scripts/update-custom-release.sh

@@ -6,7 +6,7 @@ set -euo pipefail
 
 upstream_url="${CUSTOM_RELEASE_UPSTREAM_URL:-https://github.com/syncthing/syncthing.git}"
 upstream_tag="${CUSTOM_RELEASE_UPSTREAM_TAG:-}"
-suffix="${CUSTOM_RELEASE_SUFFIX:-stignore.6}"
+suffix="${CUSTOM_RELEASE_SUFFIX:-stignore.7}"
 branch_prefix="${CUSTOM_RELEASE_BRANCH_PREFIX:-custom}"
 dist_dir="${CUSTOM_RELEASE_DIST_DIR:-dist}"
 target="${CUSTOM_RELEASE_TARGET:-syncthing}"
@@ -15,6 +15,7 @@ build_specs="${CUSTOM_RELEASE_BUILDS:-}"
 default_cgo_enabled="${CUSTOM_RELEASE_CGO_ENABLED:-0}"
 codesign_identity="${CUSTOM_RELEASE_CODESIGN_IDENTITY:-}"
 codesign_team_id="${CUSTOM_RELEASE_CODESIGN_TEAM_ID:-NG5W75WE8U}"
+require_gatekeeper_assessment="${CUSTOM_RELEASE_REQUIRE_GATEKEEPER_ASSESSMENT:-0}"
 push_release="${CUSTOM_RELEASE_PUSH:-0}"
 push_branch="${CUSTOM_RELEASE_PUSH_BRANCH:-0}"
 push_remote="${CUSTOM_RELEASE_REMOTE:-origin}"
@@ -329,7 +330,11 @@ sign_and_validate_darwin_binary() {
 		printf '%s\n' "$codesign_details" >&2
 		die "darwin build is not signed by TeamIdentifier=$codesign_team_id"
 	fi
-	spctl -a -vv --type execute "$binary"
+	if [[ "$require_gatekeeper_assessment" == "1" ]]; then
+		spctl -a -vv --type execute "$binary"
+	else
+		log "Skipping Gatekeeper assessment because CUSTOM_RELEASE_REQUIRE_GATEKEEPER_ASSESSMENT=$require_gatekeeper_assessment"
+	fi
 }
 
 push_refs() {