fix: skip Windows code signing when WIN_CSC_LINK secret is absent #19

Workflow file for this run

.github/workflows/release.yml at eb2cee9

	name: Build & Release

	on:
	push:
	tags:
	- 'v..*'

	permissions:
	contents: write

	env:
	FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

	jobs:
	build:
	strategy:
	fail-fast: false
	matrix:
	include:
	- os: macos-latest # Apple Silicon (arm64)
	platform: mac
	arch: arm64
	- os: macos-13 # Intel (x64)
	platform: mac
	arch: x64
	- os: windows-latest # Windows x64
	platform: win
	- os: ubuntu-latest # Linux x64
	platform: linux

	runs-on: ${{ matrix.os }}
	name: ${{ matrix.os }} ${{ matrix.arch \|\| '' }}

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: 24
	cache: npm

	# Linux — native build dependencies
	- name: Install Linux build deps
	if: matrix.platform == 'linux'
	run: \|
	sudo apt-get update
	sudo apt-get install -y \
	libudev-dev \
	libusb-1.0-0-dev \
	build-essential \
	python3 \
	libarchive-tools \
	rpm \
	fakeroot \
	libopenjp2-tools \
	libsecret-1-dev

	- name: Install dependencies
	run: npm ci

	# ── macOS code signing ────────────────────────────────────────────────────
	# Requires repository secrets:
	# APPLE_CERTIFICATE — base64-encoded .p12 certificate
	# APPLE_CERTIFICATE_PASSWORD — password for the .p12
	# APPLE_TEAM_ID — your Apple Developer Team ID
	# APPLE_ID — Apple ID for notarization
	# APPLE_APP_SPECIFIC_PASSWORD — app-specific password for notarization
	- name: Import macOS signing certificate
	if: matrix.platform == 'mac' && env.APPLE_CERTIFICATE != ''
	env:
	APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
	APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	run: \|
	echo "$APPLE_CERTIFICATE" \| base64 --decode > certificate.p12
	security create-keychain -p "temp-keychain-password" build.keychain
	security import certificate.p12 -k build.keychain \
	-P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
	security list-keychains -s build.keychain
	security default-keychain -s build.keychain
	security unlock-keychain -p "temp-keychain-password" build.keychain
	security set-key-partition-list \
	-S apple-tool:,apple:,codesign: -s -k "temp-keychain-password" build.keychain
	rm certificate.p12

	- name: Build & package
	env:
	# macOS signing (no-op if secrets absent)
	APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
	APPLE_ID: ${{ secrets.APPLE_ID }}
	APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
	CSC_IDENTITY_AUTO_DISCOVERY: ${{ secrets.APPLE_CERTIFICATE != '' && 'true' \|\| 'false' }}
	# Windows signing — skipped automatically when secrets are absent
	WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
	WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
	# GitHub token for electron-updater publish
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: npm run build:${{ matrix.platform }}

	- name: Upload to GitHub Release
	uses: softprops/action-gh-release@v2.3.2
	with:
	draft: false
	prerelease: false
	fail_on_unmatched_files: false
	files: \|
	dist/*.dmg
	dist/*.zip
	dist/*.exe
	dist/*.AppImage
	dist/*.deb
	dist/*.yml
	token: ${{ secrets.GITHUB_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: skip Windows code signing when WIN_CSC_LINK secret is absent #19

Workflow file

fix: skip Windows code signing when WIN_CSC_LINK secret is absent #19

Uh oh!

Workflow file for this run