ci: use apple creds before pushing tags (#4313)

We have had a few releases fail because the Apple credentials needed some sort of fix. These release were operationally more interesting because they failed after pushing a git tag (which effectively releases the golagn package). Therefore, try to use these creds early, before there's a tag pushed. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2025-11-17 08:23:15 +01:00 · 2025-10-29 10:07:47 -04:00 · 2025-10-29 10:07:47 -04:00 · 728feea620
commit 728feea620
parent 45fb52dca1
1 changed files with 10 additions and 0 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -19,6 +19,16 @@ jobs:
        with:
          persist-credentials: false

+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+
+      - name: Validate Apple notarization credentials
+        run: .tool/quill submission list
+        env:
+          QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
+          QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
+          QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
+
      - name: Check if running on main
        if: github.ref != 'refs/heads/main'
        # we are using the following flag when running `cosign blob-verify` for checksum signature verification: