Skip to content

Commit 05017a7

Browse files
beautyfreeclaude
andcommitted
Import Developer ID cert into macOS runner keychain
The release workflow previously failed on the macOS build step with "The specified item could not be found in the keychain." because GitHub Actions macOS runners start with an empty codesign identity. Decode the Developer ID .p12 (stored as MACOS_CERT_P12 secret, base64), create a temporary keychain, import the identity, and authorize codesign to use it without a UI prompt. The keychain auto-locks after 6h and is discarded with the runner. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent a0ecf71 commit 05017a7

1 file changed

Lines changed: 32 additions & 0 deletions

File tree

.github/workflows/release.yml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,38 @@ jobs:
9090
9191
- run: bun install --frozen-lockfile
9292

93+
# Import the Developer ID signing cert into a temporary keychain. The
94+
# macOS runner has no signing identity by default; without this,
95+
# `codesign --sign "$ELECTROBUN_DEVELOPER_ID" …` fails with
96+
# "The specified item could not be found in the keychain."
97+
- name: Import Developer ID certificate (macOS)
98+
if: runner.os == 'macOS'
99+
env:
100+
MACOS_CERT_P12: ${{ secrets.MACOS_CERT_P12 }}
101+
MACOS_CERT_P12_PASSWORD: ${{ secrets.MACOS_CERT_P12_PASSWORD }}
102+
MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
103+
run: |
104+
KEYCHAIN_PATH="$RUNNER_TEMP/skiller-build.keychain-db"
105+
CERT_PATH="$RUNNER_TEMP/cert.p12"
106+
107+
echo "$MACOS_CERT_P12" | base64 --decode > "$CERT_PATH"
108+
109+
security create-keychain -p "$MACOS_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
110+
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
111+
security unlock-keychain -p "$MACOS_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
112+
113+
security import "$CERT_PATH" \
114+
-P "$MACOS_CERT_P12_PASSWORD" \
115+
-A -t cert -f pkcs12 \
116+
-k "$KEYCHAIN_PATH"
117+
# Allow codesign to use the key without a UI prompt.
118+
security set-key-partition-list -S apple-tool:,apple:,codesign: \
119+
-s -k "$MACOS_KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
120+
# Put our keychain first in the search list so codesign finds it.
121+
security list-keychain -d user -s "$KEYCHAIN_PATH" login.keychain
122+
123+
rm -f "$CERT_PATH"
124+
93125
# Write the App Store Connect API .p8 key from a secret so notarytool can
94126
# use it. Secret contents should be the raw contents of AuthKey_XXXX.p8.
95127
- name: Write notarization API key (macOS)

0 commit comments

Comments
 (0)