FrancoStino/macos-spm-app-packaging
bundled-skills/macos-spm-app-packaging/SKILL.md
Scaffold, build, sign, and package SwiftPM macOS apps without Xcode projects.
$ install --global
skillsauthnpx skillsauth add FrancoStino/opencode-skills-antigravity macos-spm-app-packagingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 18, 2026, 2:46 AM141.2s16 files scanned
SKILL.md
- name:
- macos-spm-app-packaging
- description:
- Scaffold, build, sign, and package SwiftPM macOS apps without Xcode projects.
- risk:
- safe
- source:
- Dimillian/Skills (MIT)
- date_added:
- 2026-03-25
macOS SwiftPM App Packaging (No Xcode)
Overview
Bootstrap a complete SwiftPM macOS app folder, then build, package, and run it without Xcode. Use assets/templates/bootstrap/ for the starter layout and references/packaging.md + references/release.md for packaging and release details.
When to Use
- When the user needs a SwiftPM-based macOS app without relying on an Xcode project.
- When you need packaging, signing, notarization, or appcast guidance for a SwiftPM app.
Two-Step Workflow
-
Bootstrap the project folder
- Copy
assets/templates/bootstrap/into a new repo. - Rename
MyAppinPackage.swift,Sources/MyApp/, andversion.env. - Customize
APP_NAME,BUNDLE_ID, and versions.
- Copy
-
Build, package, and run the bootstrapped app
- Copy scripts from
assets/templates/into your repo (for example,Scripts/). - Build/tests:
swift buildandswift test. - Package:
Scripts/package_app.sh. - Run:
Scripts/compile_and_run.sh(preferred) orScripts/launch.sh. - Release (optional):
Scripts/sign-and-notarize.shandScripts/make_appcast.sh. - Tag + GitHub release (optional): create a git tag, upload the zip/appcast to the GitHub release, and publish.
- Copy scripts from
Minimum End-to-End Example
Shortest path from bootstrap to a running app:
# 1. Copy and rename the skeleton
cp -R assets/templates/bootstrap/ ~/Projects/MyApp
cd ~/Projects/MyApp
sed -i '' 's/MyApp/HelloApp/g' Package.swift version.env
# 2. Copy scripts
cp assets/templates/package_app.sh Scripts/
cp assets/templates/compile_and_run.sh Scripts/
chmod +x Scripts/*.sh
# 3. Build and launch
swift build
Scripts/compile_and_run.sh
Validation Checkpoints
Run these after key steps to catch failures early before proceeding to the next stage.
After packaging (Scripts/package_app.sh):
# Confirm .app bundle structure is intact
ls -R build/HelloApp.app/Contents
# Check that the binary is present and executable
file build/HelloApp.app/Contents/MacOS/HelloApp
After signing (Scripts/sign-and-notarize.sh or ad-hoc dev signing):
# Inspect signature and entitlements
codesign -dv --verbose=4 build/HelloApp.app
# Verify the bundle passes Gatekeeper checks locally
spctl --assess --type execute --verbose build/HelloApp.app
After notarization and stapling:
# Confirm the staple ticket is attached
stapler validate build/HelloApp.app
# Re-run Gatekeeper to confirm notarization is recognised
spctl --assess --type execute --verbose build/HelloApp.app
Common Notarization Failures
| Symptom | Likely Cause | Recovery |
|---|---|---|
| The software asset has already been uploaded | Duplicate submission for same version | Bump BUILD_NUMBER in version.env and repackage. |
| Package Invalid: Invalid Code Signing Entitlements | Entitlements in .entitlements file don't match provisioning | Audit entitlements against Apple's allowed set; remove unsupported keys. |
| The executable does not have the hardened runtime enabled | Missing --options runtime flag in codesign invocation | Edit sign-and-notarize.sh to add --options runtime to all codesign calls. |
| Notarization hangs / no status email | xcrun notarytool network or credential issue | Run xcrun notarytool history to check status; re-export App Store Connect API key if expired. |
| stapler validate fails after successful notarization | Ticket not yet propagated | Wait ~60 s, then re-run xcrun stapler staple. |
Templates
assets/templates/package_app.sh: Build binaries, create the .app bundle, copy resources, sign.assets/templates/compile_and_run.sh: Dev loop to kill running app, package, launch.assets/templates/build_icon.sh: Generate .icns from an Icon Composer file (requires Xcode install).assets/templates/sign-and-notarize.sh: Notarize, staple, and zip a release build.assets/templates/make_appcast.sh: Generate Sparkle appcast entries for updates.assets/templates/setup_dev_signing.sh: Create a stable dev code-signing identity.assets/templates/launch.sh: Simple launcher for a packaged .app.assets/templates/version.env: Example version file consumed by packaging scripts.assets/templates/bootstrap/: Minimal SwiftPM macOS app skeleton (Package.swift, Sources/, version.env).
Notes
- Keep entitlements and signing configuration explicit; edit the template scripts instead of reimplementing.
- Remove Sparkle steps if you do not use Sparkle for updates.
- Sparkle relies on the bundle build number (
CFBundleVersion), soBUILD_NUMBERinversion.envmust increase for each update. - For menu bar apps, set
MENU_BAR_APP=1when packaging to emitLSUIElementin Info.plist.
Limitations
- Use this skill only when the task clearly matches the scope described above.
- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.
Related Skills
FrancoStino/youtube-full
development
VerifiedTrustedCommunity
Fetch YouTube transcripts, search videos, browse channels, and extract playlists via TranscriptAPI — no yt-dlp, no Google API key, works from any cloud server.
31SKILL.mdUpdated Jun 5, 2026
FrancoStino/yield-intelligence
development
VerifiedTrustedCommunity
Passive income portfolio analysis — activate when user asks about dividend yields, Treasury rates, REIT income, monthly passive income goals, or portfolio yield optimization. Scans 4 asset classes, ranks by risk-adjusted return, and builds allocations targeting a specific monthly income.
31SKILL.mdUpdated Jun 5, 2026
FrancoStino/vibecode-production-qa-validator
devops
VerifiedTrustedCommunity
End-to-end production QA, build verification, and launch-readiness checklist for fullstack Next.js apps. Covers TypeScript, linting, tests, build, SEO tags, route regression, and sitemap validation.
31SKILL.mdUpdated Jun 5, 2026
FrancoStino/vibe-code-cleanup
development
VerifiedTrustedCommunity
Safe production cleanup and hardening for vibe-coded fullstack apps (Next.js, React, Node.js, etc.). Removes dead imports, unused files, and broken references without breaking routes or APIs.
31SKILL.mdUpdated Jun 5, 2026