[BEEEP] - Sign and notarize CLI build binary

[BTreston]

🎟️ Tracking

📔 Objective

Adds access to secrets to sign the cli build binary for the macos-cli build step to resolve the error below:

The build artifact in https://github.com/bitwarden/directory-connector/actions/runs/23356740801/job/67949409099?pr=1052 has the now working binary.

📸 Screenshots

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 6.79%. Comparing base (e143002) to head (4783be0).
⚠️ Report is 24 commits behind head on main.
✅ All tests successful. No failed tests found.

❗ There is a different number of reports uploaded between BASE (e143002) and HEAD (4783be0). Click for more details.

HEAD has 2 uploads less than BASE

Flag	BASE (e143002)	HEAD (4783be0)
	3	1

Additional details and impacted files

@@            Coverage Diff            @@
##             main   #1051      +/-   ##
=========================================
- Coverage   15.11%   6.79%   -8.33%     
=========================================
  Files          67      67              
  Lines        2798    2798              
  Branches      483     483              
=========================================
- Hits          423     190     -233     
- Misses       2271    2576     +305     
+ Partials      104      32      -72     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – 2c207ba3-8653-4dc8-bd26-d3feeb9ca9a8

---

New Issues (11)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-33228	Npm-flatted-3.3.3	details Recommended version: 3.4.2 Description: The "parse()" function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2026-3915	Npm-electron-39.8.0	details Recommended version: 41.0.1 Description: Heap buffer overflow in WebML in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform an out of bounds memory read via a craft... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2026-3924	Npm-electron-39.8.0	details Description: Use After Free in WindowDialog in Google Chrome prior to 146.0.7680.71 allowed a remote attacker who had compromised the renderer process to potent... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
4		CVE-2026-3932	Npm-electron-39.8.0	details Recommended version: 41.0.1 Description: Insufficient policy enforcement in PDF in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictio... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2026-3925	Npm-electron-39.8.0	details Recommended version: 41.0.1 Description: Incorrect security UI in LookalikeChecks in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2026-3927	Npm-electron-39.8.0	details Recommended version: 41.0.1 Description: Incorrect security UI in PictureInPicture in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafted HT... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2026-3937	Npm-electron-39.8.0	details Recommended version: 41.0.1 Description: Incorrect security UI in Downloads in Google Chrome on Android prior to 146.0.7680.71 allowed a remote attacker to perform UI spoofing via a crafte... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2026-3938	Npm-electron-39.8.0	details Recommended version: 41.0.1 Description: Insufficient policy enforcement in Clipboard in Google Chrome prior to 146.0.7680.71 allowed a remote attacker who had compromised the renderer pro... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9		CVE-2026-3940	Npm-electron-39.8.0	details Recommended version: 41.0.1 Description: Insufficient policy enforcement in DevTools in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
10		CVE-2026-3941	Npm-electron-39.8.0	details Recommended version: 41.0.1 Description: Insufficient policy enforcement in DevTools in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
11		CVE-2026-3929	Npm-electron-39.8.0	details Recommended version: 41.0.1 Description: Side-channel information leakage in ResourceTiming in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to leak cross-origin data via ... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package

[claude]

Claude finished @BTreston's task in 1m 30s —— View job

---

Code Review: PR #1051 - macOS CLI Build Signing

• Gather context and review PR changes
• Analyze workflow changes for security and correctness
• Post review findings

Summary

No actionable findings. This PR adds macOS code signing and notarization steps to the CLI build workflow. The new steps correctly follow the same patterns already established by the existing macos-gui job in the same workflow file, which is the right approach for consistency.

The changes add:

• Code signing for the macOS CLI binary using the same certificate and identity pattern as the GUI build
• Notarization submission via xcrun notarytool consistent with the existing GUI flow
• Appropriate use of GitHub secrets for signing credentials

No security, correctness, or maintainability concerns were identified.

---

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[r-tome]

Nice work!

[BTreston]

I've rolled this into the PR for PM-33578