Bump Apple-Actions/import-codesign-certs from 6.1.0 to 7.0.0

[dependabot]

Bumps Apple-Actions/import-codesign-certs from 6.1.0 to 7.0.0.

Release notes

Sourced from Apple-Actions/import-codesign-certs's releases.

v7.0.0

What's Changed

• Switch from ncc to esbuild
• Bump flatted from 3.4.1 to 3.4.2 by @​dependabot[bot] in Apple-Actions/import-codesign-certs#166
• Bump actions/setup-node from 6.2.0 to 6.3.0 by @​dependabot[bot] in Apple-Actions/import-codesign-certs#167
• Bump picomatch from 2.3.1 to 2.3.2 by @​dependabot[bot] in Apple-Actions/import-codesign-certs#168
• Bump knip from 5.78.0 to 6.2.0 by @​dependabot[bot] in Apple-Actions/import-codesign-certs#173

Full Changelog: Apple-Actions/import-codesign-certs@v6.1.0...v7.0.0

Commits

• 5142e02 [main] Switch from ncc to esbuild and upgrade dependencies
• d118e79 [main] Lock down versions with SHA
• fa7fd27 Merge pull request #173 from Apple-Actions/dependabot/npm_and_yarn/knip-6.2.0
• 44741a8 Bump knip from 5.78.0 to 6.2.0
• 71c8098 Merge pull request #168 from Apple-Actions/dependabot/npm_and_yarn/picomatch-...
• 7ebdf79 Bump picomatch from 2.3.1 to 2.3.2
• 4cf892c Merge pull request #167 from Apple-Actions/dependabot/github_actions/actions/...
• 0d67bcd Bump actions/setup-node from 6.2.0 to 6.3.0
• 50a47bf Merge pull request #166 from Apple-Actions/dependabot/npm_and_yarn/flatted-3.4.2
• 2219450 Bump flatted from 3.4.1 to 3.4.2
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk because it only changes the GitHub Actions dependency used to import macOS signing certs, but it could affect notarized/release builds if the new action version behaves differently.

Overview
Updates the build-packages.yml workflow to use Apple-Actions/import-codesign-certs@v7.0.0 for importing the Apple app signing certificate on macOS optimized builds.

^{Reviewed by Cursor Bugbot for commit f72f0a1. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Checking how the action is used in the repo and sampling upstream action.yml / inputs for consistency.

Verdict: benign

Why this reads as a normal maintainer release, not compromise

• Identity / typosquatting: The dependency is the long‑standing Apple-Actions/import-codesign-certs repo under the Apple Actions org—not a look‑alike name.

• Release vs. diff shape: v7.0.0 calls out ncc → esbuild, which explains a major bump and a large dist/index.js rewrite plus lockfile churn—consistent with a rebuild, not an unexplained payload drop.

• Malware scanner (your hard evidence)

  • Unicode / confusable / IOC: 0 post‑allowlist → no invisible Unicode / Trojan‑Source–style signals from this scan.
  • charCodeAt / “codepoint_decoder” heuristics: Very noisy on minified/bundled JS (HTTP parsing, polyfills, etc.); the report itself treats these as bulk heuristics, not confirmed malicious patterns.
  • exec / child_process / security: Expected for this action: it drives the macOS security tool via @actions/exec to import certs—those hits are domain‑appropriate, not arbitrary shell exfiltration.

• Dependency integrity: Scanner resolved tag range fe74d46…5142e02… to v7.0.0; commits include tooling migration and “lock down versions with SHA” (typically strengthens pinning, not evasion). Heuristic semver / maintainer drift flags are consistent with any major bump, not proof of account takeover.

• Dependabot PR scope: Your consumer change is a uses: version pin (e.g. Apple-Actions/import-codesign-certs@v7.0.0 with p12-file-base64 / p12-password)—standard. Upstream edits under its .github/workflows/ are that repo’s CI, not evidence of tampering in your workflow unless your PR unexpectedly rewrote unrelated jobs (your snippet shows only the pin).

Actionable follow‑ups (optional, not malware‑driven)

• Merge after macOS signing job passes (real compatibility check).
• Prefer @v7.0.0 → full commit SHA pin if your policy requires immutable refs for third‑party actions.

Scanner vs. interpretation: The high heuristic count is not inconsistent with benign esbuild‑bundled output; absence of unicode/confusable/IOC positives is the stronger signal here.

Compatibility Analysis

Searching the repo for usage and inspecting the upstream action for API changes.

1) Where it’s used

Only in .github/workflows/build-packages.yml — step Import Apple app signing certificate (~lines 103–108), guarded by macOS + optimized=1 + HAS_APPLE_SECRET == 'true'. It passes p12-file-base64 and p12-password from secrets. No other workflow references this action.

2) Overlap with likely changes (release notes + upstream)

Release notes emphasize ncc → esbuild and dependency bumps — those affect how dist/index.js is built, not the Actions surface.

In .upstream-dependency, git diff v6.1.0 v7.0.0 -- action.yml is empty: inputs, outputs, and runs using: node24 are unchanged between v6.1.0 and v7.0.0. Your usage (p12-file-base64, p12-password) still matches action.yml exactly.

3) Risks / unknowns

• Low: Any risk is from different bundled JS (esbuild vs ncc) while doing the same security/keychain logic — hard to preview without running on a macOS runner with real secrets.
• CI coverage: Fork PRs / missing secrets skip this step, so green CI does not always prove the import step ran.
• Heuristic scanners flag 6.x → 7.x — here the public contract did not change; that flag is informational.

4) Recommendation

Merge. No workflow input/output changes; your call site stays valid. Optionally treat the next real macOS signed build (with secrets) as the definitive smoke test after merge.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 13
• Resolution strategy: tag_range
• Changed node/vendor paths: 0
• Changed lockfiles: 1
• Resolved upstream range: fe74d46e82474f87e1ba79832ad28a4013d0e33a..5142e029c445c10ffc7149d172e540235a065466
• Resolved refs: from=fe74d46e82474f87e1ba79832ad28a4013d0e33a to=5142e029c445c10ffc7149d172e540235a065466
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 299

Top findings

• dist/index.js:845 codepoint_decoder :: const code = this.code = key.charCodeAt(index);
• dist/index.js:867 codepoint_decoder :: const code = key.charCodeAt(index);
• dist/index.js:1351 codepoint_decoder :: if (!isTokenCharCode(characters.charCodeAt(i))) {
• dist/index.js:2808 codepoint_decoder :: for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {
• dist/index.js:3414 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
• dist/index.js:3416 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
• dist/index.js:3496 codepoint_decoder :: while (lead < str.length && predicate(str.charCodeAt(lead))) lead++;
• dist/index.js:3499 codepoint_decoder :: while (trail > 0 && predicate(str.charCodeAt(trail))) trail--;
• dist/index.js:3863 codepoint_decoder :: if (x.charCodeAt(index) > 255) {
• dist/index.js:3865 codepoint_decoder :: Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.
• dist/index.js:4037 codepoint_decoder :: const code = url.charCodeAt(i);
• dist/index.js:4063 codepoint_decoder :: const c = statusText.charCodeAt(i);
• dist/index.js:4617 codepoint_decoder :: if (data.charCodeAt(position.position) !== 61) {
• dist/index.js:4630 codepoint_decoder :: const code = char.charCodeAt(0);
• dist/index.js:4644 codepoint_decoder :: if (data.charCodeAt(position.position) !== 45) {
• dist/index.js:4657 codepoint_decoder :: const code = char.charCodeAt(0);
• dist/index.js:4756 codepoint_decoder :: if (input.charCodeAt(position.position) === 34) {
• dist/index.js:4765 codepoint_decoder :: assert(input.charCodeAt(position.position) === 44);
• dist/index.js:5104 codepoint_decoder :: if ((chars.charCodeAt(i) & ~127) !== 0) {
• dist/index.js:5116 codepoint_decoder :: const cp = boundary.charCodeAt(i);