From 21797cf056c6fdc7ecf27ab337ae5cfb4004ebab Mon Sep 17 00:00:00 2001
From: tannevaled <tannevaled@users.noreply.github.com>
Date: Sat, 6 Jun 2026 08:44:38 +0200
Subject: [PATCH] ci(setup): add `skip-codesign-import` lever for adhoc-only
 recipes

Defense-in-depth follow-up to pkgxdev/brewkit#353.

Some recipes ship binaries with entitlements that require either adhoc
signing or a Developer ID with a matching provisioning profile (notably
`com.apple.security.virtualization` and `com.apple.security.hypervisor`).
brewkit#353 already handles the binary side correctly -- it sees these
entitlements in the Mach-O and forces adhoc signing in fix-machos.rb,
regardless of what signing identity the workflow imported.

This change adds a complementary workflow-level lever: when a caller
knows a recipe needs adhoc only, it can pass `skip-codesign-import: true`
and the Apple Developer ID is never brought into the keychain in the
first place. Avoids importing a cert we won't end up using, and reduces
the window during which the cert exists on the runner.

The default stays false -- behavior of every existing call is unchanged.
This patch only exposes the lever through the call chain:

  pkg.yml (workflow_call input)
    -> pkg-platform.yml (workflow_call input)
      -> .github/actions/setup (composite input, gates the import step)

Picking which recipes opt in is intentionally left out of this patch.
lima-vm.io is the obvious first candidate (see pkgxdev/pantry#7853).

Refs: pkgxdev/pantry#7853, pkgxdev/brewkit#353

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/actions/setup/action.yml   | 14 ++++++++++++--
 .github/workflows/pkg-platform.yml |  8 ++++++++
 .github/workflows/pkg.yml          |  8 ++++++++
 3 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index df748bb94e..be17bc167e 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -11,6 +11,16 @@ inputs:
   APPLE_IDENTITY:
     description: Apple identity to use for signing
     required: false
+  skip-codesign-import:
+    description: >
+      When 'true', skip importing the Apple Developer ID into the keychain.
+      Useful for recipes whose binaries require adhoc signing (eg. those
+      carrying com.apple.security.virtualization / .hypervisor entitlements,
+      which need either adhoc or a matching provisioning profile to be
+      accepted by macOS at runtime). Defense-in-depth on top of brewkit's
+      fix-machos.rb policy. See pkgxdev/pantry#7853.
+    required: false
+    default: 'false'
 
 runs:
   using: composite
@@ -38,11 +48,11 @@ runs:
     # delete it if it does.
     - name: Delete keychain
       shell: sh
-      if: runner.os == 'macOS' && inputs.p12-password && inputs.p12-file-base64
+      if: runner.os == 'macOS' && inputs.p12-password && inputs.p12-file-base64 && inputs.skip-codesign-import != 'true'
       run: security delete-keychain signing_temp.keychain || true
 
     - uses: apple-actions/import-codesign-certs@v6
-      if: runner.os == 'macOS' && inputs.p12-password && inputs.p12-file-base64
+      if: runner.os == 'macOS' && inputs.p12-password && inputs.p12-file-base64 && inputs.skip-codesign-import != 'true'
       with:
         p12-file-base64: ${{ inputs.p12-file-base64 }}
         p12-password: ${{ inputs.p12-password }}
diff --git a/.github/workflows/pkg-platform.yml b/.github/workflows/pkg-platform.yml
index c6693dc2c4..bcde347981 100644
--- a/.github/workflows/pkg-platform.yml
+++ b/.github/workflows/pkg-platform.yml
@@ -40,6 +40,13 @@ on:
       invalidate-cloudfront:
         type: boolean
         default: true
+      skip-codesign-import:
+        description: >
+          Skip importing the Apple Developer ID into the keychain.
+          For recipes whose binaries need adhoc signing (virtualization /
+          hypervisor entitlements). See pkgxdev/pantry#7853.
+        type: boolean
+        default: false
     secrets:
       APPLE_CERTIFICATE_P12: { required: false }
       APPLE_CERTIFICATE_P12_PASSWORD: { required: false }
@@ -80,6 +87,7 @@ jobs:
           p12-file-base64: ${{ secrets.APPLE_CERTIFICATE_P12 }}
           p12-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
           APPLE_IDENTITY: ${{ secrets.APPLE_IDENTITY }}
+          skip-codesign-import: ${{ inputs.skip-codesign-import }}
 
       - uses: pkgxdev/setup@v5
         with:
diff --git a/.github/workflows/pkg.yml b/.github/workflows/pkg.yml
index 5e88f4adce..c77341f136 100644
--- a/.github/workflows/pkg.yml
+++ b/.github/workflows/pkg.yml
@@ -16,6 +16,13 @@ on:
       invalidate-cloudfront:
         type: boolean
         default: true
+      skip-codesign-import:
+        description: >
+          Skip importing the Apple Developer ID into the keychain.
+          For recipes whose binaries need adhoc signing (virtualization /
+          hypervisor entitlements). See pkgxdev/pantry#7853.
+        type: boolean
+        default: false
 
 jobs:
   plan:
@@ -54,4 +61,5 @@ jobs:
       tinyname: ${{ matrix.platform.tinyname }}
       complain: ${{ inputs.complain }}
       invalidate-cloudfront: ${{ inputs.invalidate-cloudfront }}
+      skip-codesign-import: ${{ inputs.skip-codesign-import }}
     secrets: inherit