To answer your second question: Yes, seems like that's the correct way. At least the GitHub Action for apple-actions/import-codesign-certs does the same (see these lines). I have no idea what that does but it seems to be necessary. In general you should be able to just use the GitHub Action apple-actions/import-codesign-certs in your own automated script as described in their Readme.md.