[release] Add a dmg target for MacOS (#8207)

Add a dmg target that bundles the codex and codex responses api proxy
binaries for MacOS. this target is signed and notarized.

Verified by triggering a build here:
https://github.com/openai/codex/actions/runs/20318136302/job/58367155205.
Downloaded the artifact and verified that the dmg is signed and
notarized, and the codex binary contained works as expected.

.github/actions/macos-code-sign/action.yml

@@ -4,6 +4,14 @@ inputs:
   target:
     description: Rust compilation target triple (e.g. aarch64-apple-darwin).
     required: true
+  sign-binaries:
+    description: Whether to sign and notarize the macOS binaries.
+    required: false
+    default: "true"
+  sign-dmg:
+    description: Whether to sign and notarize the macOS dmg.
+    required: false
+    default: "true"
   apple-certificate:
     description: Base64-encoded Apple signing certificate (P12).
     required: true
@@ -107,6 +115,7 @@ runs:
         echo "::add-mask::$APPLE_CODESIGN_IDENTITY"
 
     - name: Sign macOS binaries
+      if: ${{ inputs.sign-binaries == 'true' }}
       shell: bash
       run: |
         set -euo pipefail
@@ -127,6 +136,7 @@ runs:
         done
 
     - name: Notarize macOS binaries
+      if: ${{ inputs.sign-binaries == 'true' }}
       shell: bash
       env:
         APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }}
@@ -149,6 +159,8 @@ runs:
         }
         trap cleanup_notary EXIT
 
+        source "$GITHUB_ACTION_PATH/notary_helpers.sh"
+
         notarize_binary() {
           local binary="$1"
           local source_path="codex-rs/target/${{ inputs.target }}/release/${binary}"
@@ -162,32 +174,54 @@ runs:
           rm -f "$archive_path"
           ditto -c -k --keepParent "$source_path" "$archive_path"
 
-          submission_json=$(xcrun notarytool submit "$archive_path" \
-            --key "$notary_key_path" \
-            --key-id "$APPLE_NOTARIZATION_KEY_ID" \
-            --issuer "$APPLE_NOTARIZATION_ISSUER_ID" \
-            --output-format json \
-            --wait)
-
-          status=$(printf '%s\n' "$submission_json" | jq -r '.status // "Unknown"')
-          submission_id=$(printf '%s\n' "$submission_json" | jq -r '.id // ""')
-
-          if [[ -z "$submission_id" ]]; then
-            echo "Failed to retrieve submission ID for $binary"
-            exit 1
-          fi
-
-          echo "::notice title=Notarization::$binary submission ${submission_id} completed with status ${status}"
-
-          if [[ "$status" != "Accepted" ]]; then
-            echo "Notarization failed for ${binary} (submission ${submission_id}, status ${status})"
-            exit 1
-          fi
+          notarize_submission "$binary" "$archive_path" "$notary_key_path"
         }
 
         notarize_binary "codex"
         notarize_binary "codex-responses-api-proxy"
 
+    - name: Sign and notarize macOS dmg
+      if: ${{ inputs.sign-dmg == 'true' }}
+      shell: bash
+      env:
+        APPLE_NOTARIZATION_KEY_P8: ${{ inputs.apple-notarization-key-p8 }}
+        APPLE_NOTARIZATION_KEY_ID: ${{ inputs.apple-notarization-key-id }}
+        APPLE_NOTARIZATION_ISSUER_ID: ${{ inputs.apple-notarization-issuer-id }}
+      run: |
+        set -euo pipefail
+
+        for var in APPLE_CODESIGN_IDENTITY APPLE_NOTARIZATION_KEY_P8 APPLE_NOTARIZATION_KEY_ID APPLE_NOTARIZATION_ISSUER_ID; do
+          if [[ -z "${!var:-}" ]]; then
+            echo "$var is required"
+            exit 1
+          fi
+        done
+
+        notary_key_path="${RUNNER_TEMP}/notarytool.key.p8"
+        echo "$APPLE_NOTARIZATION_KEY_P8" | base64 -d > "$notary_key_path"
+        cleanup_notary() {
+          rm -f "$notary_key_path"
+        }
+        trap cleanup_notary EXIT
+
+        source "$GITHUB_ACTION_PATH/notary_helpers.sh"
+
+        dmg_path="codex-rs/target/${{ inputs.target }}/release/codex-${{ inputs.target }}.dmg"
+
+        if [[ ! -f "$dmg_path" ]]; then
+          echo "dmg $dmg_path not found"
+          exit 1
+        fi
+
+        keychain_args=()
+        if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" && -f "${APPLE_CODESIGN_KEYCHAIN}" ]]; then
+          keychain_args+=(--keychain "${APPLE_CODESIGN_KEYCHAIN}")
+        fi
+
+        codesign --force --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$dmg_path"
+        notarize_submission "codex-${{ inputs.target }}.dmg" "$dmg_path" "$notary_key_path"
+        xcrun stapler staple "$dmg_path"
+
     - name: Remove signing keychain
       if: ${{ always() }}
       shell: bash

.github/actions/macos-code-sign/notary_helpers.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+notarize_submission() {
+  local label="$1"
+  local path="$2"
+  local notary_key_path="$3"
+
+  if [[ -z "${APPLE_NOTARIZATION_KEY_ID:-}" || -z "${APPLE_NOTARIZATION_ISSUER_ID:-}" ]]; then
+    echo "APPLE_NOTARIZATION_KEY_ID and APPLE_NOTARIZATION_ISSUER_ID are required for notarization"
+    exit 1
+  fi
+
+  if [[ -z "$notary_key_path" || ! -f "$notary_key_path" ]]; then
+    echo "Notary key file $notary_key_path not found"
+    exit 1
+  fi
+
+  if [[ ! -f "$path" ]]; then
+    echo "Notarization payload $path not found"
+    exit 1
+  fi
+
+  local submission_json
+  submission_json=$(xcrun notarytool submit "$path" \
+    --key "$notary_key_path" \
+    --key-id "$APPLE_NOTARIZATION_KEY_ID" \
+    --issuer "$APPLE_NOTARIZATION_ISSUER_ID" \
+    --output-format json \
+    --wait)
+
+  local status submission_id
+  status=$(printf '%s\n' "$submission_json" | jq -r '.status // "Unknown"')
+  submission_id=$(printf '%s\n' "$submission_json" | jq -r '.id // ""')
+
+  if [[ -z "$submission_id" ]]; then
+    echo "Failed to retrieve submission ID for $label"
+    exit 1
+  fi
+
+  echo "::notice title=Notarization::$label submission ${submission_id} completed with status ${status}"
+
+  if [[ "$status" != "Accepted" ]]; then
+    echo "Notarization failed for ${label} (submission ${submission_id}, status ${status})"
+    exit 1
+  fi
+}