Ruslan Nigmatullin e9165b9f40 ci: add macOS keychain entitlements (#19167) ...

## Summary

- add macOS application and team identifiers to the release signing
entitlements
- add a Codex keychain access group for release-signed macOS binaries
- keep the existing JIT entitlement unchanged

## Why

Codex release binaries are signed with the OpenAI Developer ID team, but
the current entitlements plist only grants JIT. macOS Keychain and
Secure Enclave operations that create persistent keys can require the
process to carry an application identifier and keychain access group.
Adding these entitlements gives release-signed binaries a stable
Keychain namespace for Codex-owned device keys.

## Validation

- `plutil -lint
.github/actions/macos-code-sign/codex.entitlements.plist`

2026-04-23 11:20:58 -07:00

..

actions

ci: add macOS keychain entitlements (#19167)

2026-04-23 11:20:58 -07:00

codex

Fix minor typos in comments and documentation (#10287)

2026-01-30 22:11:02 -08:00

ISSUE_TEMPLATE

Updated app bug report template (#11695)

2026-02-13 10:03:04 -08:00

scripts

ci: make Windows Bazel clippy catch core test imports (#18350)

2026-04-17 18:19:58 +00:00

workflows

test: set Rust test thread stack size (#19067)

2026-04-22 19:51:49 -07:00

blob-size-allowlist.txt

fix(guardian) Dont hard error on feature disable (#18795)

2026-04-20 19:54:39 -07:00

CODEOWNERS

Add core CODEOWNERS (#18362)

2026-04-17 11:29:46 -07:00

codex-cli-splash.png

Replaced user documentation with links to developers docs site (#8662)

2026-01-02 13:01:53 -07:00

dependabot.yaml

…

dotslash-argument-comment-lint-config.json

Publish runnable DotSlash package for argument-comment lint (#15198)

2026-03-19 18:59:02 +00:00

dotslash-config.json

include new windows binaries in npm package. (#8140)

2025-12-16 16:14:33 -08:00

dotslash-zsh-config.json

fix: keep zsh-fork release assets after removing shell-tool-mcp (#15644)

2026-03-24 12:56:26 -07:00

pull_request_template.md

…