"Open in BBEdit" repository command fails

Describe the bug

When using “Open in BBEdit” to open a repository in BBEdit, the operation fails silently. This occurs because GitHub Desktop is built using the hardened runtime, and needs an entitlement to send Apple Events to other applications, as well as an “NSAppleEventsUsageDescription” entry in its application property list.

Version & OS

application version 2.3.1 macOS version 10.14.6

Steps to reproduce the behavior

1. Download and install BBEdit 12.6.7 or later.
2. Start GitHub Desktop, if necessary.
3. If necessary, choose “BBEdit” as the external editor in GitHub’s “Integrations” preferences.
4. Add or import a Git repository, if necessary.
5. Choose “Open in BBEdit” from the Repository menu.

Expected behavior

=> repository opens in BBEdit

Actual behavior

=> no visible activity

Additional context

Observing in Console, it looks like GitHub Desktop tries to run the bbedit command-line tool. This works by sending an Apple Event to BBEdit to perform the requested operation. However, the execution context of the tool is such that the OS thinks that it’s GitHub Desktop trying to automate BBEdit.

In turn, this fails because GitHub Desktop is using the macOS Hardened Runtime, but does not have a code-signing entitlement to allow it to send Apple Events to other applications.

In order for this to work, I believe there are two things that need to be done in GitHub Desktop:

1. Add a code signing entitlement, as follows:

	<key>com.apple.security.automation.apple-events</key>
	<true />

1. Add an NSAppleEventsUsageDescription to GitHub Desktop’s application property list. Something along these lines should work:

	<key>NSAppleEventsUsageDescription</key>
	<string>GitHub Desktop uses Apple Events to implement integration features with external editors.</string>

Logs

Here are the relevant log excerpts from the system console, coincident with choosing the “Open in BBEdit” command from the Repository menu:

error    17:12:16.646817 -0500    tccd    Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for RESP:{ID: com.github.GitHubClient, PID[55912], auid: 501, euid: 501, responsible path: '/Applications/GitHub Desktop.app/Contents/MacOS/GitHub Desktop', binary path: '/Applications/GitHub Desktop.app/Contents/MacOS/GitHub Desktop'}, ACC:{ID: com.barebones.bbedit-tool, PID[56080], auid: 501, euid: 501, binary path: '/Applications/BBEdit.app/Contents/Helpers/bbedit_tool'}, REQ:{ID: com.apple.appleeventsd, PID[53], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}
default    17:12:16.650544 -0500    BBEdit    TCCAccessRequestIndirect: TCCAccessRequestIndirect with pid 55522: target_identity: {
    kTCCCodeIdentityAuthority = kTCCCodeIdentityDesignatedRequirementAuthority;
    kTCCCodeIdentityCSFlags = 570491665;
    kTCCCodeIdentityCanSendToAnyTarget = 0;
    kTCCCodeIdentityDesignatedRequirementData = <fade0c00 000000a4 00000001 00000006 00000002 00000017 636f6d2e 67697468 75622e47 69744875 62436c69 656e7400 00000006 0000000f 00000006 0000000e 00000001 0000000a 2a864886 f7636406 02060000 00000000 00000006 0000000e 00000000 0000000a 2a864886 f7636406 010d0000 00000000 0000000b 00000000 0000000a 7375626a 6563742e 4f550000 00000001 0000000a 56454b54 58394832 4e370000>;
    kTCCCodeIdentityExecutableURL = "file:///Applications/GitHub%20Desktop.app/Contents/MacOS/GitHub%20Desktop";
    kTCCCodeIdentityIdentifier = "com.github.GitHubClient";
    kTCCCodeIdentityIdentifierType = 0;
    kTCCCodeIdentityPromptPolicy = 4;
    kTCCCodeIdentitySDKVersion = 658432;
    kTCCCodeIdentityTeamID = VEKTX9H2N7;
}
default    17:12:16.835482 -0500    tccd    target_executable_path_URL: file:///Applications/GitHub%20Desktop.app/Contents/MacOS/GitHub%20Desktop
default    17:12:16.837101 -0500    tccd    AccessRequestIndirect: Policy disallows prompt for com.github.GitHubClient; access to kTCCServiceAppleEvents denied