Installers are built in GitHub Actions by .github/workflows/release.yml, which mirrors the approach used by the figment project:

Both runners use the same Temurin JDK (JAVA_VERSION in the workflow). jpackage bundles a runtime matching the runner architecture — so macos-latest yields a native arm64 app (no Rosetta) and windows-latest yields an x64 .msi.

1. Bump nodebox.version in src/main/resources/version.properties.
2. Commit, then tag and push:

   git tag v3.0.53
   git push origin v3.0.53

3. The workflow signs + notarizes the macOS build and creates the GitHub Release.

Set these under Settings → Secrets and variables → Actions. Windows is currently shipped unsigned, so no Windows secrets are needed. If the macOS secrets are absent the build still succeeds but produces an unsigned NodeBox-unsigned.zip instead of a .dmg.

In Keychain Access, find Developer ID Application: …, right-click → Export as .p12 (set a password — that's MACOS_CERTIFICATE_PWD). Then base64-encode it for the MACOS_CERTIFICATE secret:

base64 -i Certificates.p12 | pbcopy

The same Ant targets run locally (signing uses your login keychain and the env vars above):

ant dist-mac sign-mac   # macOS: app image -> sign -> dmg -> notarize -> staple
ant dist-win            # Windows: .msi (requires WiX Toolset v3 on PATH)

Override the JDK used for packaging with -Djpackage=/path/to/jdk/bin/jpackage; by default it uses the JDK running Ant (${java.home}/bin/jpackage).

platform/mac/bin/ffmpeg is a static arm64 build (ffmpeg 8.1 from osxexperts.net, the Apple Silicon counterpart to the evermeet.cx Intel builds). It links only system frameworks, so it bundles without extra dylibs. To update it, download the latest ffmpegNNarm.zip, confirm it's self-contained (otool -L ffmpeg shows only /usr/lib and /System), and replace the file. It must keep the libx264 (h264/mp4) and libvpx (webm) encoders that NodeBox invokes.

The Windows (platform/windows/bin/ffmpeg.exe) and Linux binaries are still x86_64.