beeper · mokagio · Jun 8, 2026 · Jun 8, 2026 · Jun 8, 2026 · Jun 8, 2026
diff --git a/.buildkite/commands/sign-macos-binaries.sh b/.buildkite/commands/sign-macos-binaries.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+# We don't care about the specific Go version, only that Go is available.
+# `go build` will then fetch the desired version.
+if ! command -v go >/dev/null 2>&1; then
+  echo "--- :package: installing go"
+  brew install go
+fi
+go version
+
+echo "--- :hammer_and_wrench: build macOS binaries"
+GOOS=darwin GOARCH=amd64 ./build.sh -o bbctl-macos-amd64
+GOOS=darwin GOARCH=arm64 ./build.sh -o bbctl-macos-arm64
+
+echo "--- :key: fetch Developer ID cert into the agent keychain"
+install_gems
+bundle exec fastlane set_up_signing
+
+echo "--- :apple: sign + notarize"
+# sign_and_notarize comes from the CI toolkit plugin
+sign_and_notarize bbctl-macos-amd64 bbctl-macos-arm64
+
+echo "--- :lock: checksums"
+shasum -a 256 bbctl-macos-amd64 bbctl-macos-arm64 > sha256sums.txt
+cat sha256sums.txt
diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
@@ -0,0 +1,21 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
+---
+
+agents:
+  queue: mac
+
+env:
+  IMAGE_ID: $IMAGE_ID
+
+steps:
+  - label: ":apple: Build, sign, notarize macOS binaries"
+    key: sign-macos
+    command: .buildkite/commands/sign-macos-binaries.sh
+    plugins: [$CI_TOOLKIT_PLUGIN]
+    artifact_paths:
+      - bbctl-macos-amd64
+      - bbctl-macos-arm64
+      - sha256sums.txt
+    notify:
+      - github_commit_status:
+          context: Sign & Notarize macOS
diff --git a/.buildkite/shared-pipeline-vars b/.buildkite/shared-pipeline-vars
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# Sourced before `buildkite-agent pipeline upload` so the values land in the rendered pipeline.
+
+XCODE_VERSION=$(grep -Ev '^[[:space:]]*(#|$)' .xcode-version | head -n1 | sed -E 's/^[[:space:]]*//; s/^~> ?//; s/[[:space:]]*$//')
+export IMAGE_ID="xcode-$XCODE_VERSION"
+
+# TEMPORARY: pinned to a commit on the `mokagio/macos-sign-and-notarize` branch
+# adding the macOS `sign_and_notarize` command. Revert to a released tag
+# (>= the version that ships it) before merging.
+CI_TOOLKIT_PLUGIN_VERSION='8a67edfc19a7fd04de7033d790bd1a7a4f0f8b4d'
+export CI_TOOLKIT_PLUGIN="automattic/a8c-ci-toolkit#$CI_TOOLKIT_PLUGIN_VERSION"
diff --git a/.bundle/config b/.bundle/config
@@ -0,0 +1,4 @@
+---
+BUNDLE_PATH: "vendor/bundle"
+BUNDLE_SPECIFIC_PLATFORM: "false"
+BUNDLE_FORCE_RUBY_PLATFORM: "true"
diff --git a/.github/workflows/go.yaml b/.github/workflows/go.yaml
@@ -59,20 +59,6 @@ jobs:
           path: bbctl-linux-arm64
           if-no-files-found: error
 
-      - name: Upload macos/amd64 artifact
-        uses: actions/upload-artifact@v6
-        with:
-          name: bbctl-macos-amd64
-          path: bbctl-macos-amd64
-          if-no-files-found: error
-
-      - name: Upload macos/arm64 artifact
-        uses: actions/upload-artifact@v6
-        with:
-          name: bbctl-macos-arm64
-          path: bbctl-macos-arm64
-          if-no-files-found: error
-
   build-docker:
     runs-on: ${{ matrix.runs-on }}
     strategy:

diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
 /bbctl
+vendor/bundle/
diff --git a/.xcode-version b/.xcode-version
@@ -0,0 +1,4 @@
+# Pinned: nokogiri 1.19.3 won't compile from source on the Xcode 26.5 image
+# (its clang breaks the bundled gumbo build). 26.3 builds it. Bump once a newer
+# image compiles nokogiri from source (we force the Ruby platform via .bundle/config).
+26.3
diff --git a/Gemfile b/Gemfile
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gem 'fastlane', '~> 2.236'
+gem 'fastlane-plugin-wpmreleasetoolkit', '~> 14.6'