Skip to content

Add unsigned macOS release artifacts#22559

Merged
shijie-oai merged 4 commits into
mainfrom
shijie/release-unsigned-macos-artifacts
May 13, 2026
Merged

Add unsigned macOS release artifacts#22559
shijie-oai merged 4 commits into
mainfrom
shijie/release-unsigned-macos-artifacts

Conversation

@shijie-oai
Copy link
Copy Markdown
Collaborator

@shijie-oai shijie-oai commented May 13, 2026
edited
Loading

Summary

  • Upload unsigned macOS release binaries before signing so they remain available from the workflow run if signing fails
  • Add a manual workflow_dispatch option, sign_macos, defaulting to true
  • When sign_macos=false, skip macOS signing, signed-name macOS artifacts, DMGs, npm/DotSlash/PyPI publishing, latest release marking, and latest-alpha-cli updates

Process

HAVE NOT TESTED YET BUT we should be able to run

gh workflow run rust-release.yml \
  -R openai/codex \
  --ref rust-v0.132.0 \
  -f sign_macos=false

which will then start the rust-release script with sign_macos and therefore do not codesign mac and also no release afterward.
shijie-oai
shijie-oai commented May 13, 2026
View reviewed changes
Comment thread .github/workflows/rust-release.yml
Comment on lines +309 to +321
for binary in ${{ matrix.binaries }}; do
binary_path="${release_dir}/${binary}"
unsigned_name="${binary}-${target}-unsigned"
unsigned_path="${dest}/${unsigned_name}"
if [[ ! -f "${binary_path}" ]]; then
echo "Binary ${binary_path} not found"
exit 1
fi

cp "${binary_path}" "${unsigned_path}"
tar -C "$dest" -czf "${unsigned_path}.tar.gz" "${unsigned_name}"
zstd -T0 -19 --rm "${unsigned_path}"
done
Copy link
Copy Markdown
Collaborator Author

@shijie-oai shijie-oai May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is before signing - so we copy the unsigned file and add -unsigned and put them aside.
@shijie-oai shijie-oai marked this pull request as draft May 13, 2026 22:41
bolinfest
bolinfest reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@bolinfest bolinfest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good so far
@shijie-oai shijie-oai requested a review from bolinfest May 13, 2026 23:05
shijie-oai
shijie-oai commented May 13, 2026
View reviewed changes
Comment thread .github/workflows/rust-release.yml
Comment on lines +41 to +44
if [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && "${SIGN_MACOS}" == "true" ]]; then
echo "❌ Manual rust-release runs must set sign_macos=false"
exit 1
fi
Copy link
Copy Markdown
Collaborator Author

@shijie-oai shijie-oai May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this would block any manual workflow trigger if the sign_macos is set to true or unset (default to true)
@shijie-oai shijie-oai marked this pull request as ready for review May 13, 2026 23:27
@shijie-oai shijie-oai merged commit 49d1f66 into main May 13, 2026
31 checks passed
@shijie-oai shijie-oai deleted the shijie/release-unsigned-macos-artifacts branch May 13, 2026 23:47
@github-actions github-actions Bot locked and limited conversation to collaborators May 13, 2026
@bolinfest
Copy link
Copy Markdown
Collaborator

bolinfest commented May 14, 2026

@shijie-oai @viyatb-oai I don't feel like this boolean for signing should be specific to MacOS: it should apply to all platforms.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

3 participants

@shijie-oai @bolinfest @viyatb-oai