diff --git a/.github/workflows/cli-publish.yml b/.github/workflows/cli-publish.yml
index aea483b561..afa18e5ba5 100644
--- a/.github/workflows/cli-publish.yml
+++ b/.github/workflows/cli-publish.yml
@@ -67,8 +67,13 @@ jobs:
           sudo apt-get install libudev-dev libusb-1.0-0-dev
 
       - name: Install gon (macOS)
-        # https://github.com/mitchellh/gon
-        run: brew install mitchellh/gon/gon
+        # Fork of https://github.com/mitchellh/gon
+        # https://github.com/Bearer/gon
+        # Since we're dealing with code signing secrets we want to pin the version of gon
+        run: |
+          wget https://raw.githubusercontent.com/Bearer/homebrew-tap/366bc999e14a8d04e07e24f9387bcbaf89c1bc53/Formula/gon.rb
+          brew install --formula gon.rb
+          rm gon.rb
         if: matrix.os == 'macos-latest'
 
       - name: Install LLVM and Clang (Windows) # required for bindgen to work, see https://github.com/rust-lang/rust-bindgen/issues/1797
diff --git a/cli/gon-config.json b/cli/gon-config.json
index 6891b07d4c..b23e28a605 100644
--- a/cli/gon-config.json
+++ b/cli/gon-config.json
@@ -2,7 +2,7 @@
   "source": ["../target/production/wallet"],
   "bundle_id": "org.iota.cli-wallet",
   "apple_id": {
-    "password": "@env:AC_PASSWORD"
+    "provider": "UG77RJKZHH"
   },
   "sign": {
     "application_identity": "Developer ID Application: IOTA Stiftung (UG77RJKZHH)"