The [`hexsign/hexsign-cli`](https://github.com/hexsign/hexsign-cli) GitHub Action installs the `hexsign` binary on a macOS, Linux, or Windows runner, verifies its SHA-256 against the release's signed `checksums.txt`, and — if you pass a client ID and secret — exports the environment variables that switch the CLI into machine mode for the rest of the job.

What you need

A service credential with `hexsign-api/read` scope (created in **Settings → CLI Tokens** in the dashboard). The secret is shown exactly once.
`HEXSIGN_CLIENT_ID` and `HEXSIGN_CLIENT_SECRET` stored as GitHub repository or environment secrets.
The certificate and provisioning profile IDs you intend to download, stored as repository variables.

Minimal usage

yaml

# .github/workflows/release.yml
jobs:
  build:
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup HexSign CLI
        uses: hexsign/hexsign-cli@v1
        with:
          version: latest
          client-id:     ${{ secrets.HEXSIGN_CLIENT_ID }}
          client-secret: ${{ secrets.HEXSIGN_CLIENT_SECRET }}

      - name: Fetch signing material
        env:
          CERT_ID:    ${{ vars.HEXSIGN_CERT_ID }}
          PROFILE_ID: ${{ vars.HEXSIGN_PROFILE_ID }}
        run: |
          hexsign certificates download "$CERT_ID"    --output-dir build/sign
          hexsign profiles     download "$PROFILE_ID" --output-dir build/sign

Inputs

version: Release tag to install (e.g. `v0.4.2`) or `latest`. Defaults to `latest`. In production pipelines, pin to a tag so a CLI release can't change your build's behaviour overnight.
client-id / client-secret: Optional. When both are set, the action exports `HEXSIGN_CLIENT_ID` and `HEXSIGN_CLIENT_SECRET` (masked) into the job environment and the CLI runs in machine mode without an interactive login.
scopes: Optional. Space-separated OAuth scopes. Defaults to the CLI's built-in set (`hexsign-api/read hexsign-api/write`). Narrow it to `hexsign-api/read` for download-only pipelines.

Outputs

`version` — the resolved CLI tag that was installed (useful for log lines or Slack notifications).
`path` — the absolute path to the installed `hexsign` binary, in case you don't want to rely on `$PATH`.

Verification and supply chain

Every release of `hexsign-cli` ships a `checksums.txt` alongside the platform archives. The action downloads both, runs `sha256sum -c` (or `shasum -a 256 -c` on macOS runners) against the archive, and only adds the binary to `$PATH` if the checksum matches. A tampered or partial download fails the step before any code runs.

What you need

A service credential with `hexsign-api/read` scope (created in **Settings → CLI Tokens** in the dashboard). The secret is shown exactly once.

`HEXSIGN_CLIENT_ID` and `HEXSIGN_CLIENT_SECRET` stored as GitHub repository or environment secrets.

The certificate and provisioning profile IDs you intend to download, stored as repository variables.

Minimal usage

yaml

# .github/workflows/release.yml
jobs:
  build:
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup HexSign CLI
        uses: hexsign/hexsign-cli@v1
        with:
          version: latest
          client-id:     ${{ secrets.HEXSIGN_CLIENT_ID }}
          client-secret: ${{ secrets.HEXSIGN_CLIENT_SECRET }}

      - name: Fetch signing material
        env:
          CERT_ID:    ${{ vars.HEXSIGN_CERT_ID }}
          PROFILE_ID: ${{ vars.HEXSIGN_PROFILE_ID }}
        run: |
          hexsign certificates download "$CERT_ID"    --output-dir build/sign
          hexsign profiles     download "$PROFILE_ID" --output-dir build/sign

Inputs

version

Release tag to install (e.g. `v0.4.2`) or `latest`. Defaults to `latest`. In production pipelines, pin to a tag so a CLI release can't change your build's behaviour overnight.

client-id / client-secret

Optional. When both are set, the action exports `HEXSIGN_CLIENT_ID` and `HEXSIGN_CLIENT_SECRET` (masked) into the job environment and the CLI runs in machine mode without an interactive login.

scopes

Optional. Space-separated OAuth scopes. Defaults to the CLI's built-in set (`hexsign-api/read hexsign-api/write`). Narrow it to `hexsign-api/read` for download-only pipelines.

Verification and supply chain

Use the Setup HexSign CLI GitHub Action

What you need

Minimal usage

Inputs

Outputs

Verification and supply chain

Related articles

Install the HexSign CLI

Run the CLI in CI with machine credentials

Fetch signing material before xcodebuild

Take control of your Apple Developer assets.

Use the Setup HexSign CLI GitHub Action

What you need

Minimal usage

Inputs

Outputs

Verification and supply chain

Related articles

Install the HexSign CLI

Run the CLI in CI with machine credentials

Fetch signing material before xcodebuild

Take control of your Apple Developer assets.