The hexsign/hexsign-cli GitHub Action installs the hexsign binary on a macOS, Linux, or Windows runner, verifies its SHA-256 against the release's signed checksums.txt, and, if you pass a client ID and secret, exports the environment variables that switch the CLI into machine mode for the rest of the job.

What you need

A service credential with hexsign-api/read scope (created in Settings → CLI Tokens in the dashboard). The secret is shown exactly once.
HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET stored as GitHub repository or environment secrets.
The certificate and provisioning profile IDs you intend to download, stored as repository variables.

Minimal usage

yaml

# .github/workflows/release.yml
jobs:
  build:
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup HexSign CLI
        uses: hexsign/hexsign-cli@v1
        with:
          version: latest
          client-id:     ${{ secrets.HEXSIGN_CLIENT_ID }}
          client-secret: ${{ secrets.HEXSIGN_CLIENT_SECRET }}

      - name: Fetch signing material
        env:
          CERT_ID:    ${{ vars.HEXSIGN_CERT_ID }}
          PROFILE_ID: ${{ vars.HEXSIGN_PROFILE_ID }}
        run: |
          hexsign certificates download "$CERT_ID"    --output-dir build/sign
          hexsign profiles     download "$PROFILE_ID" --output-dir build/sign

Inputs

version: Release tag to install (e.g. v0.4.2) or latest. Defaults to latest. In production pipelines, pin to a tag so a CLI release can't change your build's behaviour overnight.
client-id / client-secret: Optional. When both are set, the action exports HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET (masked) into the job environment and the CLI runs in machine mode without an interactive login.
scopes: Optional. Space-separated OAuth scopes. Defaults to the CLI's built-in set (hexsign-api/read hexsign-api/write). Narrow it to hexsign-api/read for download-only pipelines.

Outputs

version: the resolved CLI tag that was installed (useful for log lines or Slack notifications).
path: the absolute path to the installed hexsign binary, in case you don't want to rely on $PATH.

Verification and supply chain

Every release of hexsign-cli ships a checksums.txt alongside the platform archives. The action downloads both, runs sha256sum -c (or shasum -a 256 -c on macOS runners) against the archive, and only adds the binary to $PATH if the checksum matches. A tampered or partial download fails the step before any code runs.

What you need

A service credential with hexsign-api/read scope (created in Settings → CLI Tokens in the dashboard). The secret is shown exactly once.

HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET stored as GitHub repository or environment secrets.

The certificate and provisioning profile IDs you intend to download, stored as repository variables.

Minimal usage

yaml

# .github/workflows/release.yml
jobs:
  build:
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup HexSign CLI
        uses: hexsign/hexsign-cli@v1
        with:
          version: latest
          client-id:     ${{ secrets.HEXSIGN_CLIENT_ID }}
          client-secret: ${{ secrets.HEXSIGN_CLIENT_SECRET }}

      - name: Fetch signing material
        env:
          CERT_ID:    ${{ vars.HEXSIGN_CERT_ID }}
          PROFILE_ID: ${{ vars.HEXSIGN_PROFILE_ID }}
        run: |
          hexsign certificates download "$CERT_ID"    --output-dir build/sign
          hexsign profiles     download "$PROFILE_ID" --output-dir build/sign

Inputs

version

Release tag to install (e.g. v0.4.2) or latest. Defaults to latest. In production pipelines, pin to a tag so a CLI release can't change your build's behaviour overnight.

client-id / client-secret

Optional. When both are set, the action exports HEXSIGN_CLIENT_ID and HEXSIGN_CLIENT_SECRET (masked) into the job environment and the CLI runs in machine mode without an interactive login.

scopes

Optional. Space-separated OAuth scopes. Defaults to the CLI's built-in set (hexsign-api/read hexsign-api/write). Narrow it to hexsign-api/read for download-only pipelines.

Verification and supply chain

Use the Setup HexSign CLI GitHub Action

What you need

Minimal usage

Inputs

Outputs

Verification and supply chain

Related articles

Install the HexSign CLI

Run the CLI in CI with machine credentials

Fetch signing material before xcodebuild

Use the Setup HexSign CLI GitHub Action

What you need

Minimal usage

Inputs

Outputs

Verification and supply chain

Related articles

Install the HexSign CLI

Run the CLI in CI with machine credentials

Fetch signing material before xcodebuild