diff --git a/.github/actions/setup-haxeshit/action.yml b/.github/actions/setup-haxeshit/action.yml
index cb5e68f61..ad9c06286 100644
--- a/.github/actions/setup-haxeshit/action.yml
+++ b/.github/actions/setup-haxeshit/action.yml
@@ -3,7 +3,7 @@ description: "sets up haxe shit, using HMM!"
 runs:
   using: "composite"
   steps:
-    - uses: krdlab/setup-haxe@v1.5.1
+    - uses: funkincrew/ci-haxe@v2
       with:
         haxe-version: 4.3.1
     - name: Config haxelib
diff --git a/.github/workflows/build-shit.yml b/.github/workflows/build-shit.yml
index 8a58596b9..301cedcef 100644
--- a/.github/workflows/build-shit.yml
+++ b/.github/workflows/build-shit.yml
@@ -13,11 +13,18 @@ jobs:
     steps:
       - name: ensure git cli is installed
         run: apt update && apt install sudo git -y
-      - uses: actions/checkout@v4
+      - name: get token from gh app
+        uses: actions/create-github-app-token@v1
+        id: app_token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PEM }}
+          owner: ${{ github.repository_owner }}
+      - name: checkout repo
+        uses: funkincrew/ci-checkout@v5
         with:
           submodules: 'recursive'
-          fetch-depth: 0
-          token: ${{ secrets.GH_RO_PAT }}
+          token: ${{ steps.app_token.outputs.token }}
       - name: check whether submodules exist
         run: |
           git config --global --add safe.directory $GITHUB_WORKSPACE
@@ -48,15 +55,24 @@ jobs:
           apt install sudo git curl unzip -y
           echo $GITHUB_WORKSPACE
           git config --global --add safe.directory $GITHUB_WORKSPACE
-      - uses: actions/checkout@v4
+      - name: get token from gh app
+        uses: actions/create-github-app-token@v1
+        id: app_token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PEM }}
+          owner: ${{ github.repository_owner }}
+      - name: checkout repo
+        uses: funkincrew/ci-checkout@v5
         with:
           submodules: 'recursive'
-          fetch-depth: 0
-          token: ${{ secrets.GH_RO_PAT }}
+          token: ${{ steps.app_token.outputs.token }}
       - uses: ./.github/actions/setup-haxeshit
-      - name: Build game
+      - name: game build dependencies
         run: |
           sudo apt-get install -y libx11-dev xorg-dev libgl-dev libxi-dev libxext-dev libasound2-dev libxinerama-dev libxrandr-dev libgl1-mesa-dev
+      - name: build game
+        run: |
           haxelib run lime build html5 -release --times
           ls
       - uses: ./.github/actions/upload-itch
@@ -69,14 +85,21 @@ jobs:
     if: ${{ needs.check_date.outputs.should_run != 'false'}}
     runs-on: windows-latest
     permissions:
-       contents: write
-       actions: write
+      contents: write
+      actions: write
     steps:
-      - uses: actions/checkout@v4
+      - name: get token from gh app
+        uses: actions/create-github-app-token@v1
+        id: app_token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PEM }}
+          owner: ${{ github.repository_owner }}
+      - name: checkout repo
+        uses: funkincrew/ci-checkout@v5
         with:
           submodules: 'recursive'
-          fetch-depth: 0
-          token: ${{ secrets.GH_RO_PAT }}
+          token: ${{ steps.app_token.outputs.token }}
       - uses: ./.github/actions/setup-haxeshit
       - name: Make HXCPP cache dir
         run: |
@@ -101,6 +124,50 @@ jobs:
           butler-key: ${{ secrets.BUTLER_API_KEY }}
           build-dir: export/release/windows/bin
           target: win
+  create-nightly-mac:
+    needs: check_date
+    if: ${{ needs.check_date.outputs.should_run != 'false'}}
+    runs-on: [self-hosted, macos]
+    steps:
+      - name: prepare container
+        run: |
+          git config --global --add safe.directory $GITHUB_WORKSPACE
+      - name: get token from gh app
+        uses: actions/create-github-app-token@v1
+        id: app_token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PEM }}
+          owner: ${{ github.repository_owner }}
+      - name: checkout repo
+        uses: funkincrew/ci-checkout@v5
+        with:
+          submodules: 'recursive'
+          token: ${{ steps.app_token.outputs.token }}
+      - uses: ./.github/actions/setup-haxeshit
+      - name: Make HXCPP cache dir
+        run: |
+          mkdir -p ${{ runner.temp }}/hxcpp_cache
+      - name: Restore build cache
+        id: cache-build-win
+        uses: actions/cache@v3
+        with:
+          path: |
+            .haxelib
+            export
+            ${{ runner.temp }}/hxcpp_cache
+          key: ${{ runner.os }}-build-mac-${{ github.ref_name }}-${{ hashFiles('**/hmm.json') }}
+      - name: Build game
+        run: |
+          haxelib run lime build macos -release --times
+          ls
+        env:
+          HXCPP_COMPILE_CACHE: "${{ runner.temp }}/hxcpp_cache"
+      - uses: ./.github/actions/upload-itch
+        with:
+          butler-key: ${{ secrets.BUTLER_API_KEY}}
+          build-dir: export/release/macos/bin
+          target: macos
 #  test-unit-win:
 #    needs: create-nightly-win
 #    runs-on: windows-latest
@@ -108,7 +175,7 @@ jobs:
 #       contents: write
 #       actions: write
 #    steps:
-#      - uses: actions/checkout@v4
+#      - uses: funkincrew/ci-checkout@v5
 #        with:
 #          submodules: 'recursive'
 #          fetch-depth: 0