This guide explains how to create signed releases on GitHub and enable auto-updates for users.
What's Set Up:
- ✅ Code signing with Apple Developer ID
- ✅ Notarization with Apple
- ✅ Auto-updates via GitHub releases
- ✅ Automated GitHub Actions workflow
User Experience:
- User downloads Bottleneck once from GitHub releases
- App automatically checks for updates on launch
- When a new version is available, user gets a notification
- User clicks "Restart" and gets the latest version
- No manual downloads needed!
You need to add these secrets to your GitHub repository for automated releases to work.
On your Mac (the one where you set up code signing):
# 1. Open Keychain Access
# 2. Find "Developer ID Application: Alex Reibman (KQHSQY486C)"
# 3. Right-click → Export "Developer ID Application: Alex Reibman"
# 4. Save as: certificate.p12
# 5. Set a password (you'll need this)base64 -i certificate.p12 -o certificate-base64.txtThis creates a text file with your certificate encoded.
Go to: https://github.com/areibman/bottleneck/settings/secrets/actions
Click "New repository secret" and add these:
| Secret Name | Value | Where to Get It |
|---|---|---|
MACOS_CERTIFICATE |
Contents of certificate-base64.txt |
The base64 file you just created |
MACOS_CERTIFICATE_PASSWORD |
Password you set when exporting | The password from Step 1 |
KEYCHAIN_PASSWORD |
Any secure password | Make up a strong password (only used in CI) |
APPLE_ID |
areibman@gmail.com |
Your Apple ID |
APPLE_APP_SPECIFIC_PASSWORD |
Your app-specific password | Same one from .env.local |
APPLE_TEAM_ID |
KQHSQY486C |
Your Apple Team ID |
Security Note: After adding these secrets to GitHub, delete the local files:
rm certificate.p12 certificate-base64.txt# 1. Update version in package.json
npm version patch # or minor, or major
# 2. Push with tags
git push && git push --tags
# 3. GitHub Actions automatically builds and releases!# 1. Update version in package.json manually to 0.1.7
# 2. Commit changes
git add package.json
git commit -m "Release v0.1.7"
# 3. Create and push tag
git tag v0.1.7
git push && git push --tags- GitHub Actions triggers when you push a tag
- Builds the app on macOS runner
- Signs with your certificate (from secrets)
- Notarizes with Apple (using your credentials)
- Creates GitHub release with signed DMG files
- Updates are now available to all users!
- User downloads
Bottleneck-{version}-arm64.dmgfrom GitHub releases - Drags to Applications folder
- Opens Bottleneck
- App launches instantly (signed & notarized!)
- User opens Bottleneck (any version after 0.1.7)
- App checks GitHub for new releases
- If update available, downloads in background
- Shows notification: "Update Ready - Restart to apply"
- User clicks "Restart"
- App updates automatically!
No manual downloading ever again! 🎉
https://github.com/areibman/bottleneck/actions
You'll see:
- ✅ Green check = Build succeeded, release created
- ❌ Red X = Build failed, check logs
- 🟡 Yellow = Build in progress
https://github.com/areibman/bottleneck/releases
Each release shows:
- Version number
- Release notes
- Download links for both Intel and Apple Silicon
- Auto-update metadata (
latest-mac.yml)
Problem: GitHub can't find your certificate
Solution:
- Re-export certificate from Keychain Access
- Make sure you include the private key
- Re-encode to base64
- Update
MACOS_CERTIFICATEsecret on GitHub
Problem: Apple credentials are wrong
Solution:
- Verify
APPLE_IDsecret matches your Apple ID - Verify
APPLE_APP_SPECIFIC_PASSWORDis correct (not your regular password!) - Verify
APPLE_TEAM_IDis correct:KQHSQY486C
Problem: GitHub token doesn't have permissions
Solution:
- Go to repo Settings → Actions → General
- Scroll to Workflow permissions
- Select "Read and write permissions"
- Click Save
Problem: App not checking for updates
Solutions:
- Make sure they downloaded version 0.1.7 or later
- App only checks in production (not dev mode)
- Check GitHub releases has
latest-mac.ymlfile - User might have disabled auto-update notifications
Before creating a new release:
- Test the app locally
- Update CHANGELOG or release notes
- Update version in
package.json - Commit all changes
- Create and push git tag
- Monitor GitHub Actions build
- Verify release was created on GitHub
- Download and test the released DMG
- Announce release to users
Semantic Versioning (semver):
-
Patch (0.1.6 → 0.1.7): Bug fixes, minor changes
npm version patch
-
Minor (0.1.7 → 0.2.0): New features, backwards compatible
npm version minor
-
Major (0.2.0 → 1.0.0): Breaking changes
npm version major
- Total Downloads: Check each release on GitHub
- Update Adoption: Most users auto-update within 24 hours
- Build Time: ~15-20 minutes per release (includes notarization)
- Apple Developer Account: $99/year
- GitHub Actions: Free for public repos
- Total: $99/year for unlimited signed releases!
Test releases before going live:
# Create pre-release tag
git tag v0.1.7-beta.1
git push --tagsThen on GitHub:
- Go to the release
- Check "This is a pre-release"
- Only users who opt-in will get beta updates
- Electron Builder Publishing
- Electron Updater Documentation
- GitHub Actions Documentation
- Apple Notarization Guide
If you run into issues:
- Check the GitHub Actions logs
- Verify all secrets are set correctly
- Test local build first:
./build-signed.sh - Check Apple's notarization status at https://appstoreconnect.apple.com
Next Steps:
- Set up GitHub secrets (see above)
- Test with a new version tag
- Distribute to users
- Enjoy automatic updates! 🚀