build: add test dmg build workflow

.github/workflows/test-mac-dmg-build.yml

@@ -0,0 +1,112 @@
+name: Test macOS DMG Build
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - '.github/workflows/test-mac-dmg-build.yml'
+      - 'electron/**'
+      - 'build/**'
+      - 'tools/**'
+      - 'package.json'
+      - 'package-lock.json'
+      - 'angular.json'
+      - 'tsconfig*.json'
+      - 'src/**'
+
+jobs:
+  build-and-verify-dmg:
+    runs-on: macos-latest
+    env:
+      UNSPLASH_KEY: ${{ secrets.UNSPLASH_KEY }}
+      UNSPLASH_CLIENT_ID: ${{ secrets.UNSPLASH_CLIENT_ID }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - name: Reconfigure git to use HTTP authentication
+        run: |
+          git config --global url."https://github.com/".insteadOf ssh://git@github.com/
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 20
+
+      - name: Get npm cache directory
+        id: npm-cache-dir
+        run: echo "dir=$(npm config get cache)" >> "$GITHUB_OUTPUT"
+
+      - uses: actions/cache@v4
+        id: npm-cache
+        with:
+          path: ${{ steps.npm-cache-dir.outputs.dir }}
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Install native helpers
+        run: npm install @nx/nx-darwin-arm64 dmg-license
+
+      - name: Install npm packages
+        run: npm i
+
+      - name: Configure macOS signing keychain
+        env:
+          MAC_CERTS: ${{ secrets.mac_certs }}
+          MAC_CERTS_PASSWORD: ${{ secrets.mac_certs_password }}
+        run: |
+          set -euo pipefail
+          CERT_PATH="$RUNNER_TEMP/mac-certs.p12"
+          echo "$MAC_CERTS" | base64 --decode > "$CERT_PATH"
+
+          KEYCHAIN_PATH="$HOME/Library/Keychains/build.keychain-db"
+          security create-keychain -p "" build.keychain
+          security set-keychain-settings -lut 21600 build.keychain
+          security unlock-keychain -p "" build.keychain
+          security import "$CERT_PATH" -k build.keychain -P "$MAC_CERTS_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
+          security list-keychains -s build.keychain login.keychain
+          security default-keychain -s build.keychain
+          security set-key-partition-list -S apple-tool:,apple: -k "" build.keychain
+
+          {
+            echo "CSC_KEYCHAIN=$KEYCHAIN_PATH"
+            echo "CSC_LINK=file://$CERT_PATH"
+            echo "CSC_KEY_PASSWORD=$MAC_CERTS_PASSWORD"
+            echo "CSC_NAME=Developer ID Application: Johannes Millan (363FAFK383)"
+          } >> "$GITHUB_ENV"
+
+      - name: Generate environment & build sources
+        run: |
+          npm run env
+          npm run buildAllElectron:noTests:prod
+
+      - name: Build Developer ID DMG
+        run: npm run dist:mac:dl
+
+      - name: Verify DMG signature
+        run: |
+          set -euo pipefail
+          DMG_PATH=$(ls .tmp/app-builds/superProductivity-*.dmg | head -n 1)
+          if [ -z "$DMG_PATH" ]; then
+            echo "No DMG artefact found"
+            exit 1
+          fi
+
+          MOUNT_POINT="/Volumes/SuperProductivityTest"
+          hdiutil attach "$DMG_PATH" -mountpoint "$MOUNT_POINT" -nobrowse
+          trap 'hdiutil detach "$MOUNT_POINT" || true' EXIT
+
+          APP_PATH="$MOUNT_POINT/Super Productivity.app"
+          /usr/bin/codesign --verify --deep --strict --verbose=4 "$APP_PATH"
+          spctl --assess --verbose "$APP_PATH"
+          /usr/bin/codesign -dv "$APP_PATH" 2>&1 | grep Authority
+
+      - name: Upload DMG artifact
+        uses: actions/upload-artifact@v5
+        with:
+          name: mac-dmg-build
+          path: .tmp/app-builds/*.dmg
+          if-no-files-found: error