Developed a secure macOS release signing workflow for the openai/codex repository, replacing the legacy signing process with an Azure Key Vault–backed PKCS#11 solution. This work introduced a CI pipeline that signs, notarizes, and verifies macOS release artifacts, ensuring private keys remain protected and never exposed in GitHub. The implementation leveraged Bash and YAML to automate artifact signing and integrate notarization, meeting distribution requirements and enhancing artifact trust. By focusing on cloud security and DevOps best practices, the workflow enables reproducible builds and post-release verification, strengthening the overall security posture for macOS releases within the project’s CI/CD environment.