Embeint · JordanYates · Nov 26, 2025 · Nov 26, 2025 · Nov 26, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,7 +16,6 @@ jobs:
         include:
           - os: ubuntu-latest
           - os: windows-latest
-          # Universal macOS binary is supported as universal-apple-darwin.
           - os: macos-latest
     runs-on: ${{ matrix.os }}
     steps:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,6 +4,8 @@ permissions:
   contents: write
 
 on:
+  pull_request:
+    types: [ labeled ]
   push:
     tags:
       - v[0-9]+.*
@@ -13,13 +15,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        if: ${{ github.event_name == 'push' }}
       - uses: taiki-e/create-gh-release-action@v1
+        if: ${{ github.event_name == 'push' }}
         with:
           # (optional) Path to changelog.
           changelog: CHANGELOG.md
           # (required) GitHub token for creating GitHub Releases.
           token: ${{ secrets.GITHUB_TOKEN }}
   upload-assets:
+    if: ${{ (github.event_name == 'push') || (github.event.label.name == 'release') }}
     needs: create-release
     strategy:
       matrix:
@@ -33,11 +38,25 @@ jobs:
           - target: x86_64-pc-windows-msvc
             os: windows-latest
           # Universal macOS binary is supported as universal-apple-darwin.
-          - target: universal-apple-darwin
+          - target: x86_64-apple-darwin
             os: macos-latest
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
+      - name: MacOS Signing setup
+        if: runner.os == 'macOS'
+        shell: bash
+        run: |
+          echo "$MACOS_CERTIFICATE" | base64 --decode > certificate.p12
+          security create-keychain -p "" build.keychain
+          security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+          security list-keychains -s build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "" build.keychain
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "" build.keychain
+        env:
+          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
+          MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
       - uses: taiki-e/upload-rust-binary-action@v1
         with:
           # (required) Comma-separated list of binary names (non-extension portion of filename) to build and upload.
@@ -49,3 +68,8 @@ jobs:
           target: ${{ matrix.target }}
           # (required) GitHub token for uploading assets to GitHub Releases.
           token: ${{ secrets.GITHUB_TOKEN }}
+          # Dry-run unless a release
+          dry-run: ${{ github.event_name != 'push' }}
+          # MacOS codesign parameters
+          codesign: ${{ secrets.MACOS_SIGNING_IDENTITY }}
+          codesign-options: runtime 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 This project adheres to [Semantic Versioning](https://semver.org).
 
+## [1.4.0] - 2025-11-26
+
+ - Binary signing for MacOS
+ - Update TDF definitions
+ - Update dependencies
+
 ## [1.3.0] - 2025-09-16
 
  - Fix crashes on invalid headers lengths and sizes

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "infuse_decoder"
-version = "1.3.0"
+version = "1.4.0"
 edition = "2024"
 
 [[bin]]