supabase / cli / 28097044625
65%
develop: 65%

LAST BUILD BRANCH: gh-readonly-queue/develop/pr-5718-64df2ba83785d849fd230ef7aea7cf5a60de63c4
DEFAULT BRANCH: develop
Ran
Jobs 1
Files 228
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 64.886%. Remained the same
28097044625

push

github

web-flow 
ci(cli): add macOS code signing with rcodesign (#5675)

Implement Phase 1 of macOS code signing to fix the SIGKILL issue on
macOS 26+ (CLI-1621). The Bun SFE and Go sidecar binaries are now signed
with a full ad-hoc signature during the build pipeline, replacing the
degenerate linker-signed signature that AMFI rejects.

## Changes

- **Build pipeline signing**: Added `signDarwinBinaries()` and
`resolveSignMode()` to `apps/cli/scripts/build.ts` to sign macOS
binaries (`supabase` and `supabase-go`) with `rcodesign` between
compilation and archiving. This ensures all distribution channels (npm,
Homebrew, GitHub Releases) ship the signed bytes.

- **CI integration**: Updated
`.github/workflows/build-cli-artifacts.yml` to install `rcodesign`
v0.29.0 (pinned with sha256), set `SUPABASE_CLI_REQUIRE_SIGNING=1` to
enforce signing in release builds, and verify signatures post-build
using `rcodesign print-signature-info`.

- **Smoke test verification**: Extended
`apps/cli/tests/smoke-test-macos.ts` with native signature verification
via new `verifyMacSignature()` helper in
`apps/cli/tests/helpers/macos-signature.ts`. On macOS runners, this
checks the signature is valid, carries the correct identifier
(`com.supabase.cli` / `com.supabase.cli-go`), and is no longer
linker-signed.

- **Documentation**: Added ADR 0013 documenting the decision, rationale,
and Phase 2 roadmap (Developer ID + notarization). Updated
`release-process.md` and `binary-distribution.md` to describe the
signing step and its role in the release pipeline.

## Implementation details

- **No Apple credentials required for Phase 1**: Full ad-hoc signatures
are self-contained and do not require an Apple Developer ID. This fixes
the SIGKILL without blocking on account provisioning.

- **Linux-only signing**: `rcodesign` runs on the existing Linux build
runner, avoiding a macOS job and pipeline split. Verification happens on
macOS smoke-test runners.

- **Graceful degradation**: Local builds without `... (continued)

10869 of 16751 relevant lines covered (64.89%)

10.29 hits per line

Coverage Regressions

Lines Coverage File
2
82.41
 0.0% internal/storage/rm/rm.go
Jobs
ID Job ID Ran Files Coverage
1 28097044625.1 228
64.89
 GitHub Action Run
Source Files on build 28097044625