Bump Apple-Actions/import-codesign-certs from 6 to 6.1.0

[dependabot]

Bumps Apple-Actions/import-codesign-certs from 6 to 6.1.0.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk: a patch-level GitHub Action version bump that only affects macOS code-signing setup in CI.

Overview
Updates the macOS CI signing step in build-packages.yml to use Apple-Actions/import-codesign-certs@v6.1.0 instead of v6, keeping the workflow behavior the same while pulling in the newer action release.

^{Reviewed by Cursor Bugbot for commit 9499c96. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Gathering workflow usage and upstream action context to complete the supply-chain review.

Verdict: benign

Why this looks safe

• Official action, narrow use: The workflow only bumps the pinned action to Apple-Actions/import-codesign-certs@v6.1.0 for importing a P12 into the macOS keychain (p12-file-base64 / p12-password from secrets)—the expected use of this action.

      - name: Import Apple app signing certificate
        if: startsWith(matrix.os, 'macos') && matrix.config == 'optimized=1' && steps.check_secrets.outputs.HAS_APPLE_SECRET == 'true'
        uses: Apple-Actions/import-codesign-certs@v6.1.0
        with:
          p12-file-base64: ${{ secrets.APPLE_DEV_ID_APP }}
          p12-password: ${{ secrets.APPLE_DEV_ID_APP_PASS }}

• Tag / commit reality (upstream mirror): In .upstream-dependency, v6 and v6.1.0 both peel to the same commit (fe74d46…). So this Dependabot bump is effectively re-pinning to a semver tag for content you may already be running under @v6, not introducing a new, unreviewed code revision.

• Scanner report: unicode / confusable / ioc are empty (good). The shell_process_spawn hit on "@actions/exec" in package.json is a known false positive for Actions that shell out to security—normal for this project. maintainer_drift 6→6.1.0 is not evidence of npm publisher compromise here; it’s a version-label change on a GitHub Action reference, not a malicious dependency graph shift.

• Checklist: No evidence of obfuscation, unexpected hosts, persistence, typosquat (Apple-Actions/...), lifecycle script abuse, or suspicious extra workflow edits beyond the expected uses: version bump.

Actionable note: If you want extra assurance, on GitHub compare v6…v6.1.0; in many setups this is a tagging/metadata alignment. The local mirror’s identical peeled commits align with your scanner’s resolved_from / resolved_to being the same hash.

Compatibility Analysis

Searching the repo for usages and inspecting upstream changes between v6 and v6.1.0.

1) Where it’s used

Only one real workflow reference under .github/:

      - name: Import Apple app signing certificate
        if: startsWith(matrix.os, 'macos') && matrix.config == 'optimized=1' && steps.check_secrets.outputs.HAS_APPLE_SECRET == 'true'
        uses: Apple-Actions/import-codesign-certs@v6.1.0
        with:
          p12-file-base64: ${{ secrets.APPLE_DEV_ID_APP }}
          p12-password: ${{ secrets.APPLE_DEV_ID_APP_PASS }}

Other rg hits are review/scan artifacts (malware_scan_*, cursor_*, package_usage.txt, etc.), not runtime workflow usage.

2) Overlap with upstream changes

In .upstream-dependency, v6 and v6.1.0 are annotated tags that peel to the same commit (fe74d46…, message “Upgrade version to 6.1.0”). There is no tree/code diff between those two tags’ target commits.

Your workflow only uses p12-file-base64 and p12-password, which match current action.yml inputs (keychain / create-keychain stay at documented defaults). No renamed/removed inputs affect this call site.

3) Risks / unknowns

• Functional risk from the version bump itself: very low — same commit as v6’s peeled target; this is mainly a more explicit semver pin.
• Execution risk (unchanged): step only runs on macOS optimized jobs when APPLE_DEV_ID_APP is set; failures would still be keychain/cert/secrets/runner issues, not this bump.
• Noise: maintainer_drift in malware heuristics is not meaningful for this GitHub Action (pattern misfire on action coordinates).

4) Recommendation

Merge — adoption matches the action’s inputs; v6 → v6.1.0 does not introduce a new action revision here, only a clearer tag. Optional: run or watch the next macOS + signing CI path if you want empirical confirmation.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 1
• Resolution strategy: to_version_single_commit
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved upstream range: fe74d46e82474f87e1ba79832ad28a4013d0e33a..fe74d46e82474f87e1ba79832ad28a4013d0e33a
• Resolved refs: from=fe74d46e82474f87e1ba79832ad28a4013d0e33a to=fe74d46e82474f87e1ba79832ad28a4013d0e33a
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 2

Top findings

• package.json:32 shell_process_spawn :: "@actions/exec": "~3.0.0",
• Apple-Actions/import-codesign-certs:0 maintainer_drift :: 6->6.1.0