Comment by latexr

> unlocking the keychain, finding the right identity

You don’t need to do that, you can give options to the CLI to define what profile to use.

> Most of the hassle is because it's 100% unattended and I had to do stuff to avoid GUI-prompts for passwords/unlocks

I have a shell function to which I point my code and it compiles, signs, and notarises it without any more intervention, GUI or password prompts, and I’m pretty sure signing and notarising are literally two lines.

Unfortunately I’m not at my computer now or I’d paste them, but from your description that script is definitely too long.