Lets the workflow set, e.g., public-read on the uploaded object so the
HTTPS URL is actually downloadable without further configuration. Empty
default means no ACL is sent — required for modern AWS buckets with
Object Ownership = "Bucket owner enforced" that reject any ACL.
Validates the value against the AWS canned-ACL list at config time so
typos fail before the upload runs. Wires the input through action.yml,
config, and the orchestrator; adds a unit test that the ACL is forwarded
to PutObjectInput when set and omitted when empty.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
After a successful S3 upload, log the HTTPS URL so the workflow run
output shows where the artefact was published. Uses the regional
virtual-hosted form for AWS S3 and path-style for custom endpoints,
matching how NewClient configures the client.
The URL is what the object would be served at if the bucket allows
public reads — the orchestrator does not assert anything about the
bucket's access policy.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Outputs are now written in fixed order so partial writes are reproducible.
- artifact-path output and S3 upload source are resolved to absolute paths,
matching the README's "absolute path" promise.
- New TestRun_FailureStillRunsCleanup integration test injects a notarization
failure and asserts the temporary keychain is still deleted, proving the
cleanup stack runs on every error path.
- go.mod pinned to go 1.22 (matches sample fixture; works on standard macOS
runner images) instead of the local-development 1.25.0.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Same artefact go get/test sometimes leaves in fixture directories.
modfile.Parse is text-only and the test path never resolves modules;
the file is unnecessary and matches the cleanup we did after Task 5.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Exercises the full run() pipeline using fake shell scripts on PATH that
record their argv to a temp RECORD_DIR. Verifies all external commands
were invoked, outputs contain the expected version/app/artifact values,
ditto was called twice (pre- and post-staple), and security delete-keychain
ran during cleanup.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
DeveloperIDCertBase64 is the .p12 contents and equally sensitive as
the password — register it with the log scrubber so a future code
path that accidentally wraps cfg in a debug log can't leak it. Also
documents why maskSecrets writes to stdout rather than stderr.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Leon Mika