Skip to content

Commit f8bf7a4

Browse files
gpealgpeal
committed
Add step
1 parent 6f97ec4 commit f8bf7a4

File tree

1 file changed

+87
-0
lines changed

1 file changed

+87
-0
lines changed

.github/workflows/rust-release.yml

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,70 @@ jobs:
9999
- name: Cargo build
100100
run: cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy
101101

102+
- if: ${{ matrix.runner == 'macos-14' }}
103+
name: Configure Apple code signing
104+
shell: bash
105+
env:
106+
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
107+
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
108+
KEYCHAIN_PASSWORD: actions
109+
run: |
110+
set -euo pipefail
111+
112+
if [[ -z "${APPLE_CERTIFICATE:-}" ]]; then
113+
echo "APPLE_CERTIFICATE secret is required for macOS signing"
114+
exit 1
115+
fi
116+
117+
if [[ -z "${APPLE_CERTIFICATE_PASSWORD:-}" ]]; then
118+
echo "APPLE_CERTIFICATE_PASSWORD secret is required for macOS signing"
119+
exit 1
120+
fi
121+
122+
cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12"
123+
echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path"
124+
125+
keychain_path="${RUNNER_TEMP}/codex-signing.keychain-db"
126+
security create-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
127+
security set-keychain-settings -lut 21600 "$keychain_path"
128+
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
129+
130+
keychain_args=()
131+
while IFS= read -r keychain; do
132+
[[ -n "$keychain" ]] && keychain_args+=("$keychain")
133+
done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
134+
if ((${#keychain_args[@]} > 0)); then
135+
security list-keychains -s "$keychain_path" "${keychain_args[@]}"
136+
else
137+
security list-keychains -s "$keychain_path"
138+
fi
139+
security default-keychain -s "$keychain_path"
140+
security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
141+
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path"
142+
143+
rm -f "$cert_path"
144+
145+
echo "APPLE_CODESIGN_KEYCHAIN=$keychain_path" >> "$GITHUB_ENV"
146+
147+
- if: ${{ matrix.runner == 'macos-14' }}
148+
name: Sign macOS binaries
149+
shell: bash
150+
env:
151+
APPLE_CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_IDENTITY }}
152+
run: |
153+
set -euo pipefail
154+
155+
if [[ -z "${APPLE_CODESIGN_IDENTITY:-}" ]]; then
156+
echo "APPLE_CODESIGN_IDENTITY secret is required for macOS signing"
157+
exit 1
158+
fi
159+
160+
for binary in codex codex-responses-api-proxy; do
161+
path="target/${{ matrix.target }}/release/${binary}"
162+
codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "$path"
163+
codesign --verify --deep --strict "$path"
164+
done
165+
102166
- name: Stage artifacts
103167
shell: bash
104168
run: |
@@ -157,6 +221,29 @@ jobs:
157221
zstd -T0 -19 --rm "$dest/$base"
158222
done
159223
224+
- name: Remove signing keychain
225+
if: ${{ always() && matrix.runner == 'macos-14' }}
226+
shell: bash
227+
env:
228+
APPLE_CODESIGN_KEYCHAIN: ${{ env.APPLE_CODESIGN_KEYCHAIN }}
229+
run: |
230+
set -euo pipefail
231+
if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" ]]; then
232+
keychain_args=()
233+
while IFS= read -r keychain; do
234+
[[ "$keychain" == "$APPLE_CODESIGN_KEYCHAIN" ]] && continue
235+
[[ -n "$keychain" ]] && keychain_args+=("$keychain")
236+
done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
237+
if ((${#keychain_args[@]} > 0)); then
238+
security list-keychains -s "${keychain_args[@]}"
239+
security default-keychain -s "${keychain_args[0]}"
240+
fi
241+
242+
if [[ -f "$APPLE_CODESIGN_KEYCHAIN" ]]; then
243+
security delete-keychain "$APPLE_CODESIGN_KEYCHAIN"
244+
fi
245+
fi
246+
160247
- uses: actions/upload-artifact@v4
161248
with:
162249
name: ${{ matrix.target }}

0 commit comments

Comments
 (0)