comment

Author: celia-oai

.github/actions/macos-code-sign/action.yml

@@ -12,9 +12,6 @@ inputs:
     description: Whether to sign and notarize the macOS DMG.
     required: false
     default: "true"
-  dmg-path:
-    description: Path to the DMG to sign and notarize (defaults to codex-rs/target/<target>/release/codex-<target>.dmg).
-    required: false
   apple-certificate:
     description: Base64-encoded Apple signing certificate (P12).
     required: true
@@ -223,14 +220,9 @@ runs:
       run: |
         set -euo pipefail
 
-        if [[ -z "${APPLE_CODESIGN_IDENTITY:-}" ]]; then
-          echo "APPLE_CODESIGN_IDENTITY is required for macOS signing"
-          exit 1
-        fi
-
-        for var in APPLE_NOTARIZATION_KEY_P8 APPLE_NOTARIZATION_KEY_ID APPLE_NOTARIZATION_ISSUER_ID; do
+        for var in APPLE_CODESIGN_IDENTITY APPLE_NOTARIZATION_KEY_P8 APPLE_NOTARIZATION_KEY_ID APPLE_NOTARIZATION_ISSUER_ID; do
           if [[ -z "${!var:-}" ]]; then
-            echo "$var is required for notarization"
+            echo "$var is required"
             exit 1
           fi
         done
@@ -274,10 +266,7 @@ runs:
           fi
         }
 
-        dmg_path="${{ inputs.dmg-path }}"
-        if [[ -z "$dmg_path" ]]; then
-          dmg_path="codex-rs/target/${{ inputs.target }}/release/codex-${{ inputs.target }}.dmg"
-        fi
+        dmg_path="codex-rs/target/${{ inputs.target }}/release/codex-${{ inputs.target }}.dmg"
 
         if [[ ! -f "$dmg_path" ]]; then
           echo "DMG $dmg_path not found"

.github/workflows/rust-release.yml

@@ -128,7 +128,7 @@ jobs:
           account-name: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
           certificate-profile-name: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
 
-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+      - if: ${{ runner.os == 'macOS' }}
         name: MacOS code signing (binaries)
         uses: ./.github/actions/macos-code-sign
         with:
@@ -141,8 +141,8 @@ jobs:
           apple-notarization-key-id: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }}
           apple-notarization-issuer-id: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }}
 
-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
-        name: Build macOS DMG
+      - if: ${{ runner.os == 'macOS' }}
+        name: Build macOS dmg
         shell: bash
         run: |
           set -euo pipefail
@@ -155,7 +155,7 @@ jobs:
 
           # The previous "MacOS code signing (binaries)" step signs + notarizes the
           # built artifacts in `${release_dir}`. This step packages *those same*
-          # signed binaries into a DMG.
+          # signed binaries into a dmg.
           codex_binary_path="${release_dir}/codex"
           proxy_binary_path="${release_dir}/codex-responses-api-proxy"
 
@@ -187,7 +187,7 @@ jobs:
             exit 1
           fi
 
-      - if: ${{ matrix.runner == 'macos-15-xlarge' }}
+      - if: ${{ runner.os == 'macOS' }}
         name: MacOS code signing (dmg)
         uses: ./.github/actions/macos-code-sign
         with: