@@ -15,6 +15,10 @@ concurrency:
1515 group : ${{ github.workflow }}
1616 cancel-in-progress : true
1717
18+ env :
19+ APPLE_CERTIFICATE : ${{ secrets.APPLE_CERTIFICATE_P12 }}
20+ APPLE_CERTIFICATE_PASSWORD : ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
21+
1822jobs :
1923 tag-check :
2024 runs-on : ubuntu-latest
4751
4852build :
4953 needs : tag-check
50- name : ${{ matrix.runner }} - ${{ matrix.target }}
54+ name : Build - ${{ matrix.runner }} - ${{ matrix.target }}
5155 runs-on : ${{ matrix.runner }}
5256 timeout-minutes : 30
5357 defaults :
@@ -94,11 +98,118 @@ jobs:
9498 - if : ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}}
9599 name : Install musl build tools
96100 run : |
97- sudo apt install -y musl-tools pkg-config
101+ sudo apt-get update
102+ sudo apt-get install -y musl-tools pkg-config
98103
99104name : Cargo build
100105 run : cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
101106
107+ - if : ${{ matrix.runner == 'macos-14' }}
108+ name : Configure Apple code signing
109+ shell : bash
110+ env :
111+ KEYCHAIN_PASSWORD : actions
112+ run : |
113+ set -euo pipefail
114+
115+ if [[ -z "${APPLE_CERTIFICATE:-}" ]]; then
116+ echo "APPLE_CERTIFICATE is required for macOS signing"
117+ exit 1
118+ fi
119+
120+ if [[ -z "${APPLE_CERTIFICATE_PASSWORD:-}" ]]; then
121+ echo "APPLE_CERTIFICATE_PASSWORD is required for macOS signing"
122+ exit 1
123+ fi
124+
125+ cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12"
126+ echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path"
127+
128+ keychain_path="${RUNNER_TEMP}/codex-signing.keychain-db"
129+ security create-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
130+ security set-keychain-settings -lut 21600 "$keychain_path"
131+ security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
132+
133+ keychain_args=()
134+ cleanup_keychain() {
135+ if ((${#keychain_args[@]} > 0)); then
136+ security list-keychains -s "${keychain_args[@]}" || true
137+ security default-keychain -s "${keychain_args[0]}" || true
138+ else
139+ security list-keychains -s || true
140+ fi
141+ if [[ -f "$keychain_path" ]]; then
142+ security delete-keychain "$keychain_path" || true
143+ fi
144+ }
145+
146+ while IFS= read -r keychain; do
147+ [[ -n "$keychain" ]] && keychain_args+=("$keychain")
148+ done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
149+
150+ if ((${#keychain_args[@]} > 0)); then
151+ security list-keychains -s "$keychain_path" "${keychain_args[@]}"
152+ else
153+ security list-keychains -s "$keychain_path"
154+ fi
155+
156+ security default-keychain -s "$keychain_path"
157+ security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
158+ security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path" > /dev/null
159+
160+ codesign_hashes=()
161+ # SO this is breaking because our cert (at least the testing one) is not generated as codesign
162+ while IFS= read -r hash; do
163+ [[ -n "$hash" ]] && codesign_hashes+=("$hash")
164+ done < <(security find-identity -v -p codesigning "$keychain_path" \
165+ | sed -n 's/.*\([0-9A-F]\{40\}\).*/\1/p' \
166+ | sort -u)
167+
168+ if ((${#codesign_hashes[@]} == 0)); then
169+ echo "No signing identities found in $keychain_path"
170+ cleanup_keychain
171+ rm -f "$cert_path"
172+ exit 1
173+ fi
174+
175+ if ((${#codesign_hashes[@]} > 1)); then
176+ echo "Multiple signing identities found in $keychain_path:"
177+ printf ' %s\n' "${codesign_hashes[@]}"
178+ cleanup_keychain
179+ rm -f "$cert_path"
180+ exit 1
181+ fi
182+
183+ APPLE_CODESIGN_IDENTITY="${codesign_hashes[0]}"
184+ # export APPLE_CODESIGN_IDENTITY
185+ # echo "Resolved codesign identity: $APPLE_CODESIGN_IDENTITY"
186+
187+ rm -f "$cert_path"
188+
189+ echo "APPLE_CODESIGN_IDENTITY=$APPLE_CODESIGN_IDENTITY" >> "$GITHUB_ENV"
190+ echo "APPLE_CODESIGN_KEYCHAIN=$keychain_path" >> "$GITHUB_ENV"
191+
192+ if : ${{ matrix.runner == 'macos-14' }}
193+ name : Sign macOS binaries
194+ shell : bash
195+ run : |
196+ set -euo pipefail
197+
198+ if [[ -z "${APPLE_CODESIGN_IDENTITY:-}" ]]; then
199+ echo "APPLE_CODESIGN_IDENTITY is required for macOS signing"
200+ exit 1
201+ fi
202+
203+ keychain_args=()
204+ if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" && -f "${APPLE_CODESIGN_KEYCHAIN}" ]]; then
205+ keychain_args+=(--keychain "${APPLE_CODESIGN_KEYCHAIN}")
206+ fi
207+
208+ for binary in codex codex-responses-api-proxy; do
209+ path="target/${{ matrix.target }}/release/${binary}"
210+ codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
211+ done
212+
102213name : Stage artifacts
103214 shell : bash
104215 run : |
@@ -157,6 +268,29 @@ jobs:
157268 zstd -T0 -19 --rm "$dest/$base"
158269 done
159270
271+ name : Remove signing keychain
272+ if : ${{ always() && matrix.runner == 'macos-14' }}
273+ shell : bash
274+ env :
275+ APPLE_CODESIGN_KEYCHAIN : ${{ env.APPLE_CODESIGN_KEYCHAIN }}
276+ run : |
277+ set -euo pipefail
278+ if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" ]]; then
279+ keychain_args=()
280+ while IFS= read -r keychain; do
281+ [[ "$keychain" == "$APPLE_CODESIGN_KEYCHAIN" ]] && continue
282+ [[ -n "$keychain" ]] && keychain_args+=("$keychain")
283+ done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
284+ if ((${#keychain_args[@]} > 0)); then
285+ security list-keychains -s "${keychain_args[@]}"
286+ security default-keychain -s "${keychain_args[0]}"
287+ fi
288+
289+ if [[ -f "$APPLE_CODESIGN_KEYCHAIN" ]]; then
290+ security delete-keychain "$APPLE_CODESIGN_KEYCHAIN"
291+ fi
292+ fi
293+
160294uses : actions/upload-artifact@v4
161295 with :
162296 name : ${{ matrix.target }}
0 commit comments