mirror of
https://github.com/huggingface/xet-core.git
synced 2026-06-04 13:30:29 +08:00
8dfe75d68a
Fix issue https://github.com/huggingface/xet-core/issues/822. ## Problem `lando/code-sign-action` (used to codesign and notarize the macOS `git-xet` binary) does not pin its transitive dependency `cognitedata/code-sign-action@v3` & `lando/notarize-action@v2` to a commit SHA. This repo enforces SHA-pinning for all third-party actions, so the workflow was failing for a while. ## Solution My attempt PR to pin its transitive dependencies met with no response, so this PR extracts the macOS codesign + notarize logic into a local composite action `.github/actions/macos-codesign-notarize` — mirroring the existing `.github/actions/windows-codesign` pattern — with zero external `uses:` dependencies.