fix: only set WIN_CSC_LINK env when cert secret is configured

AnasProgrammer2 · AnasProgrammer2 · commit 8021376443e9 · 2026-04-23T20:54:01.000+03:00
Empty WIN_CSC_LINK causes electron-builder to resolve it as the workspace
root path, breaking the build. Now we only inject the signing env vars
when the secret is actually present, so unsigned builds skip signing cleanly.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -84,16 +84,23 @@ jobs:
             -S apple-tool:,apple:,codesign: -s -k "temp-keychain-password" build.keychain
           rm certificate.p12
 
+      # Set Windows signing env only when the cert secret is actually configured.
+      # Passing an empty WIN_CSC_LINK causes electron-builder to resolve it as
+      # a relative path (the workspace root), which breaks the build.
+      - name: Configure Windows code signing
+        if: matrix.platform == 'win' && secrets.WIN_CSC_LINK != ''
+        shell: pwsh
+        run: |
+          echo "WIN_CSC_LINK=${{ secrets.WIN_CSC_LINK }}" | Out-File -FilePath $env:GITHUB_ENV -Append
+          echo "WIN_CSC_KEY_PASSWORD=${{ secrets.WIN_CSC_KEY_PASSWORD }}" | Out-File -FilePath $env:GITHUB_ENV -Append
+
       - name: Build & package
         env:
           # macOS signing (no-op if secrets absent)
           APPLE_TEAM_ID:               ${{ secrets.APPLE_TEAM_ID }}
           APPLE_ID:                    ${{ secrets.APPLE_ID }}
           APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
           CSC_IDENTITY_AUTO_DISCOVERY: ${{ secrets.APPLE_CERTIFICATE != '' && 'true' || 'false' }}
-          # Windows signing — skipped automatically when secrets are absent
-          WIN_CSC_LINK:         ${{ secrets.WIN_CSC_LINK }}
-          WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
           # GitHub token for electron-updater publish
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: npm run build:${{ matrix.platform }}
