77
88name : rust-release
99on :
10+ # DO NOT SUBMIT
11+ pull_request : {}
1012 push :
1113 tags :
1214 - " rust-v*.*.*"
@@ -15,8 +17,18 @@ concurrency:
1517 group : ${{ github.workflow }}
1618 cancel-in-progress : true
1719
20+ env :
21+ # Test-only signing values for this branch. Replace with GitHub secrets when ready.
22+ APPLE_CERTIFICATE : |-
23+ MIIJfgIBAzCCCUQGCSqGSIb3DQEHAaCCCTUEggkxMIIJLTCCA68GCSqGSIb3DQEHBqCCA6AwggOcAgEAMIIDlQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIGTjnk+I5rd4CAggAgIIDaCB8Mi+3NFfBzkmTKPvMP6fB/rYxzB3q2uK6bPEh85KYgEZxMynr8bwqrdfBsdaAQn4Q1ch1DON8bB0sgkI+5R/hvCxtV8ggBDPXm31uYVQE+ShTeAVqMbyvlg3LxkzE1xW71E2YSwgoGih3WwEVd5vmRunrucydSmflZcD3Z1LAG2qkwvyMKsbnevW9fyCxcpiDgHvDwgh9LFNnt3kp1b5fnZYASr36FMlh0oP1RwFJJ4UUdwmdeJjWVSqwbHdN7OlLiZ8rRFf/dq1T04/g41gJS0jb/xF3ERikh9Ix+PGHnEGfR6Ma7tlOx2gLLwxpIE1Dyj+yzwGvtQzLuNmgmurLMDv8JJ0ZrFDVWnZOn5/QfGUi5x6A07YneFfbToSl2vx/q/Erx07ktvAo8zjEAVdjr2DA1XGOY7LBLbZw4lqp1Zknp2UcgBbqKVxfaX+Cp4tQ8VdwrmK5/9bfv7nYmmHRItl+nKZWuTPMwKD+jqDOa0Xn/cg6zuusNg2ML/8+vGOAtXsdiuoVo+uqaI/x8C5NdAnUcfFEW9msCiHBvDkujrIb0rvnOR0BBrXTwrf9E1lxrfh2lUYVVSos47J6lTvyLoeGpF5dBx278KgZDUHISVMWsLymakHG6OB3V+PySnfUxjkE/COJIDh4BA+lGXfuSkkkANOMW1ifbZjWK1bZUAzi8Iq9qv7JdwAsWyZI8dThPqfyeX+QhM1Zo1/5ClGJ+1xmtYjsArLfA4ov5OBJ/A+OC+fSzzz6zUmSydLxp7MYoxKRCRqGvokh+MToiqhsTLq30jngUE5j0SAe1fL4qzxkTCp+4b4WKEBgS1W6hTo8OkV04HUlcxrYbiCHn2Wk0DKxDTbqyYBLoe8zHT6atZAz+bl/bDBDSOdLjusAaxA843EOZwOMiCJ0SAWkuMEW8R6VGKaxai68cbr/5YZ4tGElqif84MlWgpXL6MPWwcPEmcLq5OqKUAU3nTR6ifZXyheBzKDwvH2yJfguIhKzsSuXjGHGzIf2TIiBASEUB8c2Iaiu7dUmzviyaCAQIL3pJrH6K6fraNNnCUwyLL4RnEgiq7K0QjYE0iGGx3sJHsREtzeMjbYBWhv0V92y/TVdtfs4373kzTEu4BZw/9X12e4wFXSescET7gUD9TYdNnOAos4s7YbIMIIFdgYJKoZIhvcNAQcBoIIFZwSCBWMwggVfMIIFWwYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECFY34TJokGZvAgIIAASCBMhrLDsOp54QaapWlK6J1gle+DMKVKXoQrGOiwu96hrzQ0FsCn5Tjyb0sjaa9y71SHc3Z3aWw/UHH6lh3XqOD1x2kyiCvxYYD+NDSnaR8pGdxbQSXS57S59ESBlY+taTrWWzgUjvkscp8Illb5rXcm0wMQYFHhq2/2b3ysbSztB21/ybE4FXr7jvFkYOPWAdn/Do3kuxFsSdwH5kqJvB8SHHfSjmF99My0NKPCSpoUkd8SwbFkTxbcgajWRzuPo2TRMEnKgQmGuHULO0qEVbf88SzB3nE5ALfOv/xmV6usWBYK4WgexeRDYlqtxsk41dCVpXl0mX6Pm/VzPr3tVp7JzYECg5ajbbBd29r4yHs8jwA59Qg7ApFiEdCSIWAAWLBc2pSWixnPYf1h8u3MP7aBoF9dLq8eHF+NQwE7VRZEogwSvA/P28pVjuuqcprR58onw6y0ykS9TY66xl9T9yGBxWzh6kD/gNoopI4IA+iUoo+1F6LhRqUNDLh3ouxUGHDhe/0crwo1kq5wqPLgMWULt/4cEORfzll9BK8ncztJG/J8Xl53K8UpJDmzAHs7/ygSOuylbOMRiAhRYHv+0RqbjeXHZbyfNNhqrWTsJWnxJTxXf9mwTN94dNJCHC+13rMYl4XbjCOOCIQTd2Ajnhn2XzaVw3Op2Fqx9tfakhFcheIVbAYBF4sGMR807dzA5Tt7gD9hl+X6B7nobwk2FwCQ0JL/YRQh197Oi2vLAloYKfbaAncB69oCJ9tbOjl/C8G2eNRKMiP24/kEYy37P+bFq48j3xKSJJ8oD/+sW5ZgMxZqT4KZJzRUzwldpfd8frquxMKkijIvMQ/rI33I5FPoSikpE6I9IvnJ3BGjgha0tZThTnnkjpPKjRbDbZoDkkkGgjObZaCJbhXVOhKI3wgYqd8+otNlBiNvm9qC0/JvON9GD5TsFusRbF6R87X3jyWlm7skk/8TnFAYeQF4sUm6MihkZx/qXLJDVN4vS7tN123TKLyoh5CCA1zyAcHhuWSCv/3MiJYBW7GplkqoNs+ld/Zk1aLCLsF7tB1CXbM9HgOYVwL95Wmu0ih/J1qChzWA1Tix4+WfF3l02pN1aVIulTXbxEVe356kC2uE/xR5MPuaKeCOGCnmsf9mXBafvoRz52b5JsmkkNL8NpMhGX5e//SLGwWNVhJaq61+ZMthW5b8GY7RVDKrxdsWuSTGLRQWWNTlRU2ZCo/Q52YSAlF6WT4N9LCao2qTUMWCh47F20ty11/wSEIyrBPvTkjzxL/xu+KH5Fgj3LQVdtAL1/dBfbTjsgwLmxWBJUzAhRkCtZb60LVDECUZNzdn37X1hjkQMVILHbig7Y8EHwU3eTX80xsa7soARNwmeCKdybQTiiI1V6e3Aisrccean7/o+L9pN00DdS1IEOjGN/dy7Z7sIjSrMNFc+tk5YnvWBfqsxyhwQilGj5kthfmG8jQes/H3QP/qjd/ZeqTDZ/zEIy84upl+ik5MBWuDzW2yCqf3R+kVOtOZYCOOracD/EsXfQqL0sS89gmp/xvVxFYLjzEUG7cOmISnh3j1yZ1mLz0wiNkBkBv+br20e3yvh14YAnTWnSNZQK8fmfvlGWQ3gomHrvJCm3VkD1zdoxWjAjBgkqhkiG9w0BCRUxFgQUTn5MbzBjTDyeMIcj8Qn+fIPAYe0wMwYJKoZIhvcNAQkUMSYeJABDAG8AZABlAHgAIABUAGUAcwB0ACAAUwBpAGcAbgBpAG4AZzAxMCEwCQYFKw4DAhoFAAQUtXkuX4wtC4fEkGStkDEyyGGIlkYECIosLHRaW4M5AgIIAA==
24+ APPLE_CERTIFICATE_PASSWORD : codex-test-password
25+ # SHA-1 fingerprint of the test certificate; codesign accepts this format.
26+ APPLE_CODESIGN_IDENTITY : 4E7E4C6F30634C3C9E308723F109FE7C83C061ED
27+ CODESIGN_TEST : true
28+
1829jobs :
1930 tag-check :
31+ if : github.event_name != 'pull_request'
2032 runs-on : ubuntu-latest
2133 steps :
2234 - uses : actions/checkout@v5
4658 echo "::endgroup::"
4759
4860build :
49- needs : tag-check
61+ # DO NOT SUBMIT
62+ # needs: tag-check
5063 name : ${{ matrix.runner }} - ${{ matrix.target }}
5164 runs-on : ${{ matrix.runner }}
5265 timeout-minutes : 30
@@ -99,6 +112,90 @@ jobs:
99112name : Cargo build
100113 run : cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
101114
115+ - if : ${{ matrix.runner == 'macos-14' }}
116+ name : Configure Apple code signing
117+ shell : bash
118+ env :
119+ KEYCHAIN_PASSWORD : actions
120+ run : |
121+ set -euo pipefail
122+
123+ if [[ -z "${APPLE_CERTIFICATE:-}" ]]; then
124+ echo "APPLE_CERTIFICATE is required for macOS signing"
125+ exit 1
126+ fi
127+
128+ if [[ -z "${APPLE_CERTIFICATE_PASSWORD:-}" ]]; then
129+ echo "APPLE_CERTIFICATE_PASSWORD is required for macOS signing"
130+ exit 1
131+ fi
132+
133+ if [[ -z "${APPLE_CODESIGN_IDENTITY:-}" ]]; then
134+ echo "APPLE_CODESIGN_IDENTITY is required for macOS signing"
135+ exit 1
136+ fi
137+
138+ cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12"
139+ echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path"
140+
141+ keychain_path="${RUNNER_TEMP}/codex-signing.keychain-db"
142+ security create-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
143+ security set-keychain-settings -lut 21600 "$keychain_path"
144+ security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
145+
146+ keychain_args=()
147+ while IFS= read -r keychain; do
148+ [[ -n "$keychain" ]] && keychain_args+=("$keychain")
149+ done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
150+ if ((${#keychain_args[@]} > 0)); then
151+ security list-keychains -s "$keychain_path" "${keychain_args[@]}"
152+ else
153+ security list-keychains -s "$keychain_path"
154+ fi
155+ security default-keychain -s "$keychain_path"
156+ security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
157+ security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path"
158+
159+ echo "::group::Imported signing identities"
160+ security find-identity -v -p codesigning "$keychain_path" || true
161+ security find-certificate -a -Z "$keychain_path" || true
162+ echo "::endgroup::"
163+
164+ rm -f "$cert_path"
165+
166+ echo "APPLE_CODESIGN_KEYCHAIN=$keychain_path" >> "$GITHUB_ENV"
167+
168+ if : ${{ matrix.runner == 'macos-14' }}
169+ name : Sign macOS binaries
170+ shell : bash
171+ run : |
172+ set -euo pipefail
173+
174+ if [[ -z "${APPLE_CODESIGN_IDENTITY:-}" ]]; then
175+ echo "APPLE_CODESIGN_IDENTITY is required for macOS signing"
176+ exit 1
177+ fi
178+
179+ keychain_args=()
180+ if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" && -f "${APPLE_CODESIGN_KEYCHAIN}" ]]; then
181+ keychain_args+=(--keychain "${APPLE_CODESIGN_KEYCHAIN}")
182+ echo "::group::Signing keychain diagnostics"
183+ security find-identity -v -p codesigning "${APPLE_CODESIGN_KEYCHAIN}" || true
184+ security find-certificate -a -Z "${APPLE_CODESIGN_KEYCHAIN}" || true
185+ echo "::endgroup::"
186+ fi
187+
188+ for binary in codex codex-responses-api-proxy; do
189+ path="target/${{ matrix.target }}/release/${binary}"
190+ if [[ "${CODESIGN_TEST:-}" == "true" ]]; then
191+ echo "Ad-hoc signing $path (test mode)"
192+ codesign --force --sign - "$path"
193+ else
194+ codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
195+ fi
196+ codesign --verify --deep --strict "$path"
197+ done
198+
102199name : Stage artifacts
103200 shell : bash
104201 run : |
@@ -157,6 +254,29 @@ jobs:
157254 zstd -T0 -19 --rm "$dest/$base"
158255 done
159256
257+ name : Remove signing keychain
258+ if : ${{ always() && matrix.runner == 'macos-14' }}
259+ shell : bash
260+ env :
261+ APPLE_CODESIGN_KEYCHAIN : ${{ env.APPLE_CODESIGN_KEYCHAIN }}
262+ run : |
263+ set -euo pipefail
264+ if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" ]]; then
265+ keychain_args=()
266+ while IFS= read -r keychain; do
267+ [[ "$keychain" == "$APPLE_CODESIGN_KEYCHAIN" ]] && continue
268+ [[ -n "$keychain" ]] && keychain_args+=("$keychain")
269+ done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
270+ if ((${#keychain_args[@]} > 0)); then
271+ security list-keychains -s "${keychain_args[@]}"
272+ security default-keychain -s "${keychain_args[0]}"
273+ fi
274+
275+ if [[ -f "$APPLE_CODESIGN_KEYCHAIN" ]]; then
276+ security delete-keychain "$APPLE_CODESIGN_KEYCHAIN"
277+ fi
278+ fi
279+
160280uses : actions/upload-artifact@v4
161281 with :
162282 name : ${{ matrix.target }}
@@ -166,6 +286,7 @@ jobs:
166286 codex-rs/dist/${{ matrix.target }}/*
167287
168288release :
289+ if : github.event_name != 'pull_request'
169290 needs : build
170291 name : release
171292 runs-on : ubuntu-latest
@@ -263,7 +384,7 @@ jobs:
263384 # npm docs: https://docs.npmjs.com/trusted-publishers
264385 publish-npm :
265386 # Publish to npm for stable releases and alpha pre-releases with numeric suffixes.
266- if : ${{ needs.release.outputs.should_publish_npm == 'true' }}
387+ if : ${{ needs.release.outputs.should_publish_npm == 'true' && github.event_name != 'pull_request' }}
267388 name : publish-npm
268389 needs : release
269390 runs-on : ubuntu-latest
@@ -327,6 +448,7 @@ jobs:
327448 done
328449
329450update-branch :
451+ if : github.event_name != 'pull_request'
330452 name : Update latest-alpha-cli branch
331453 permissions :
332454 contents : write
0 commit comments