.github/workflows/add-to-project.yml

@@ -21,7 +21,7 @@ jobs:
           creds: ${{ secrets.ECOSYSTEM_ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
       - name: Add to Project
-        uses: dsanders11/project-actions/add-item@eb760c48894b5702398529cbb8f6e98378e315d0 # v1.3.0
+        uses: dsanders11/project-actions/add-item@9c80cd31f58599941c64f74636bea95ba5d46090 # v1.5.1
         with:
           field: Opened
           field-value: ${{ github.event.pull_request.created_at || github.event.issue.created_at }}

.github/workflows/docs.yml

@@ -0,0 +1,33 @@
+name: Publish API documentation
+
+on:
+  push:
+    tags:
+      - v[0-9]+.[0-9]+.[0-9]+*
+
+permissions: {}
+
+jobs:
+  docs:
+    runs-on: ubuntu-24
+    environment: 
+      name: publish-docs
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # tag: v4.2.2
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a  # tag: v4.2.0
+        with:
+          node-version: '22.12.x'
+          cache: 'yarn'
+      - name: Install dependencies
+        run: yarn --frozen-lockfile
+      - name: Build API documentation
+        run: yarn build:docs
+      - name: Upload to Azure Blob Storage
+        uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd  # tag: v2.1.0
+        with:
+          azcliversion: latest
+          inlineScript: |
+            az storage blob upload-batch --account-name $ACCOUNT_NAME -d '$web/notarize/${{ github.ref_name }}' -s ./docs --overwrite --sas-token "$SAS_TOKEN"
+        env:
+          SAS_TOKEN: ${{ secrets.SAS_TOKEN }}
+          ACCOUNT_NAME: ${{ secrets.ACCOUNT_NAME }}

.github/workflows/release.yml

@@ -0,0 +1,35 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    uses: ./.github/workflows/test.yml
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    needs: test
+    environment: npm
+    permissions:
+      id-token: write # for CFA and npm provenance
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Setup Node.js
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: '22.12.x'
+          cache: 'yarn'
+      - name: Install
+        run: yarn install --frozen-lockfile
+      - uses: continuousauth/action@4e8a2573eeb706f6d7300d6a9f3ca6322740b72d # v1.0.5
+        with:
+          project-id: ${{ secrets.CFA_PROJECT_ID }}
+          secret: ${{ secrets.CFA_SECRET }}
+          npm-token: ${{ secrets.NPM_TOKEN }}

.github/workflows/test.yml

@@ -0,0 +1,35 @@
+name: Test
+
+on:
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: '0 22 * * 3'
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Test
+    strategy:
+      matrix:
+        node-version:
+          - '22.12.x'
+    runs-on: macos-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Node.js
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version: "${{ matrix.node-version }}"
+          cache: 'yarn'
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+      - name: Lint
+        run: yarn lint
+      - name: Test
+        run: yarn test

.nvmrc

@@ -0,0 +1 @@
+22.12

README.md

@@ -3,7 +3,7 @@ Electron Notarize
 
 > Notarize your Electron apps seamlessly for macOS
 
-[![CircleCI status](https://circleci.com/gh/electron/notarize.svg?style=shield)](https://circleci.com/gh/electron/notarize)
+[![Test](https://github.com/electron/notarize/actions/workflows/test.yml/badge.svg)](https://github.com/electron/notarize/actions/workflows/test.yml)
 [![NPM package](https://img.shields.io/npm/v/@electron/notarize)](https://npm.im/@electron/notarize)
 
 ## Installation
@@ -40,18 +40,12 @@ For notarization, you need the following things:
 > If you are using Electron 11 or below, you must add the `com.apple.security.cs.allow-unsigned-executable-memory` entitlement too.
 > When using version 12+, this entitlement should not be applied as it increases your app's attack surface.
 
-### Notarization on older macOS versions
-
-Xcode 13 is available from macOS 11.3, but notarization can be performed on systems down to macOS 10.15
-(see [TN3147](https://developer.apple.com/documentation/technotes/tn3147-migrating-to-the-latest-notarization-tool#Enable-notarization-on-an-older-version-of-macOS) for more information).
-
-To achieve this, you can copy notarytool binary from a newer macOS version and provide its path as `notarytoolPath` option.
 
 ## API
 
 `@electron/notarize` exposes a single `notarize` function that accepts the following parameters:
 * `appPath` — the absolute path to your codesigned and packaged Electron application.
-* `notarytoolPath` - String (optional) - Path of the notarytool binary ([more details](#notarization-on-older-macos-versions)) 
+* `notarytoolPath` - String (optional) - Path to a custom notarytool binary ([more details](#custom-notarytool)) 
 * additional options required for authenticating your Apple ID (see below)
 
 The method returns a void Promise once app notarization is complete. Please note that notarization may take
@@ -155,6 +149,11 @@ await notarize({
   keychainProfile,
 });
 ```
+
+### Custom notarytool
+
+You can provide a path to a custom `notarytool`. This module allows this option to enable unique edge cases - but this use case is _explicitly unsupported_. 
+
 ## Troubleshooting
 
 ### Debug logging

package.json

@@ -2,7 +2,8 @@
   "name": "@electron/notarize",
   "version": "0.0.0-development",
   "description": "Notarize your Electron app",
-  "main": "lib/index.js",
+  "type": "module",
+  "exports": "./lib/index.js",
   "typings": "lib/index.d.ts",
   "author": "Samuel Attard",
   "license": "MIT",
@@ -16,32 +17,36 @@
   },
   "scripts": {
     "build": "tsc",
+    "build:docs": "npx typedoc",
     "lint": "prettier --check \"src/**/*.ts\"",
+    "prettier:write": "prettier --write \"src/**/*.ts\"",
     "prepare": "yarn build",
-    "test": "jest"
+    "test": "vitest run"
   },
   "files": [
     "lib"
   ],
   "engines": {
-    "node": ">= 10.0.0"
+    "node": ">= 22.12.0"
+  },
+  "publishConfig": {
+    "provenance": true
   },
   "devDependencies": {
-    "@types/debug": "^4.1.5",
-    "@types/fs-extra": "^9.0.1",
-    "@types/jest": "^29.0.0",
-    "@types/node": "^13.7.7",
+    "@tsconfig/node22": "^22.0.0",
+    "@types/debug": "^4.1.12",
+    "@types/graceful-fs": "^4.1.9",
+    "@types/node": "~22.10.7",
     "@types/promise-retry": "^1.1.3",
-    "jest": "^29.0.0",
-    "prettier": "^1.18.2",
-    "ts-jest": "^29.0.0",
+    "prettier": "^3.4.2",
     "typedoc": "~0.25.13",
     "typedoc-plugin-missing-exports": "^2.2.0",
-    "typescript": "4.9.3"
+    "typescript": "~5.4.5",
+    "vitest": "^3.0.8"
   },
   "dependencies": {
-    "debug": "^4.1.1",
-    "fs-extra": "^9.0.1",
+    "debug": "^4.4.0",
+    "graceful-fs": "^4.2.11",
     "promise-retry": "^2.0.1"
   }
 }

src/check-signature.ts

@@ -1,7 +1,7 @@
 import * as path from 'path';
 
-import { spawn } from './spawn';
-import { NotaryToolNotarizeAppOptions } from './types';
+import { spawn } from './spawn.js';
+import { NotaryToolNotarizeAppOptions } from './types.js';
 import debug from 'debug';
 const d = debug('electron-notarize');
 

src/helpers.ts

@@ -1,23 +1,25 @@
 import debug from 'debug';
-import * as fs from 'fs-extra';
-import * as os from 'os';
-import * as path from 'path';
+import * as fs from 'graceful-fs';
+
+import * as os from 'node:os';
+import * as path from 'node:path';
+import * as util from 'node:util';
 
 const d = debug('electron-notarize:helpers');
 
 export async function withTempDir<T>(fn: (dir: string) => Promise<T>) {
-  const dir = await fs.mkdtemp(path.resolve(os.tmpdir(), 'electron-notarize-'));
+  const dir = await util.promisify(fs.mkdtemp)(path.resolve(os.tmpdir(), 'electron-notarize-'));
   d('doing work inside temp dir:', dir);
   let result: T;
   try {
     result = await fn(dir);
   } catch (err) {
     d('work failed');
-    await fs.remove(dir);
+    await util.promisify(fs.rm)(dir, { recursive: true, force: true });
     throw err;
   }
   d('work succeeded');
-  await fs.remove(dir);
+  await util.promisify(fs.rm)(dir, { recursive: true, force: true });
   return result;
 }
 
@@ -33,7 +35,7 @@ class Secret {
 }
 
 export function makeSecret(s: string) {
-  return (new Secret(s) as any) as string;
+  return new Secret(s) as any as string;
 }
 
 export function isSecret(s: string) {
@@ -63,10 +65,10 @@ export function parseNotarizationInfo(info: string): NotarizationInfo {
     }
   };
   matchToProperty('uuid', /\n *RequestUUID: (.+?)\n/);
-  matchToProperty('date', /\n *Date: (.+?)\n/, d => new Date(d));
+  matchToProperty('date', /\n *Date: (.+?)\n/, (d) => new Date(d));
   matchToProperty('status', /\n *Status: (.+?)\n/);
   matchToProperty('logFileUrl', /\n *LogFileURL: (.+?)\n/);
-  matchToProperty('statusCode', /\n *Status Code: (.+?)\n/, n => parseInt(n, 10) as any);
+  matchToProperty('statusCode', /\n *Status Code: (.+?)\n/, (n) => parseInt(n, 10) as any);
   matchToProperty('statusMessage', /\n *Status Message: (.+?)\n/);
 
   if (out.logFileUrl === '(null)') {
@@ -77,5 +79,5 @@ export function parseNotarizationInfo(info: string): NotarizationInfo {
 }
 
 export function delay(ms: number): Promise<void> {
-  return new Promise(resolve => setTimeout(resolve, ms));
+  return new Promise((resolve) => setTimeout(resolve, ms));
 }

src/index.ts

@@ -1,21 +1,16 @@
 import debug from 'debug';
 import retry from 'promise-retry';
 
-import { checkSignatures } from './check-signature';
-import { isNotaryToolAvailable, notarizeAndWaitForNotaryTool } from './notarytool';
-import { stapleApp } from './staple';
-import {
-  NotarizeOptions,
-  NotaryToolStartOptions,
-  NotarizeOptionsLegacy,
-  NotarizeOptionsNotaryTool,
-} from './types';
+import { checkSignatures } from './check-signature.js';
+import { isNotaryToolAvailable, notarizeAndWaitForNotaryTool } from './notarytool.js';
+import { stapleApp } from './staple.js';
+import { NotarizeOptions } from './types.js';
 
 const d = debug('electron-notarize');
 
 export { NotarizeOptions };
 
-export { validateNotaryToolAuthorizationArgs as validateAuthorizationArgs } from './validate-args';
+export { validateNotaryToolAuthorizationArgs as validateAuthorizationArgs } from './validate-args.js';
 
 /**
  * Sends your app to Apple for notarization with `notarytool` and staples a successful
@@ -28,19 +23,9 @@ export { validateNotaryToolAuthorizationArgs as validateAuthorizationArgs } from
  * @param args Options for notarization
  * @returns The Promise resolves once notarization is complete. Note that this may take a few minutes.
  */
-async function notarize(args: NotarizeOptionsNotaryTool): Promise<void>;
-/**
- * @deprecated
- */
-async function notarize(args: NotarizeOptionsLegacy): Promise<void>;
+async function notarize(args: NotarizeOptions): Promise<void>;
 
 async function notarize({ appPath, ...otherOptions }: NotarizeOptions) {
-  if (otherOptions.tool === 'legacy') {
-    throw new Error(
-      'Notarization with the legacy altool system was decommisioned as of November 2023',
-    );
-  }
-
   await checkSignatures({ appPath });
 
   d('notarizing using notarytool');
@@ -53,7 +38,7 @@ async function notarize({ appPath, ...otherOptions }: NotarizeOptions) {
   await notarizeAndWaitForNotaryTool({
     appPath,
     ...otherOptions,
-  } as NotaryToolStartOptions);
+  } as NotarizeOptions);
 
   await retry(() => stapleApp({ appPath }), {
     retries: 3,