Security & isolation

MacOps is multi-tenant by design. Your code, secrets and signing keys never run on a shared host or leak between jobs.

Ephemeral, isolated VMs

Every build, test, archive, deploy and GitHub Actions job runs inside a fresh, isolated macOS VM that is created for that one job and destroyed afterwards — the no-leak guarantee. Simulators are erased and physical pool devices are wiped between leases. Each wipe is recorded as an auditable sanitization event.

Secrets, encrypted at rest

GitHub credentials, App Store Connect keys, your managed signing key and project secrets are encrypted with AES-256-GCM. They're decrypted only just-in-time, delivered into the ephemeral VM for a single job, and scrubbed.

Short-lived credentials

GitHub access uses short-lived App installation tokens; repo clones and runner registration use single-use tokens. Nothing long-lived is handed to a runner.

Hardware never faces inward

The Macs in our fleet poll outbound only — they accept no inbound connections. Each runner authenticates with its own token, and tenants never see or address hardware directly.

Tenant isolation

Every project, build, artifact and secret is scoped to your organisation. Caches are partitioned per project. Download links are signed and short-lived.