Skip to content

Commit 112a894

Browse files
ci(release): skip sign steps when signing secrets absent
Tag pushes build unsigned MSI/DMG by default. Probe secrets via step outputs (step.if cannot use secrets). Signing runs for workflow_dispatch+sign_artifacts or tag push when all required secrets exist. Made-with: Cursor
1 parent ccf6686 commit 112a894

1 file changed

Lines changed: 40 additions & 12 deletions

File tree

.github/workflows/release.yml

Lines changed: 40 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -214,6 +214,20 @@ jobs:
214214
uv run briefcase build --no-input
215215
uv run briefcase package --no-input -p msi
216216
217+
# step.if cannot use secrets.* (actionlint / GHA); probe via env then gate signing.
218+
- name: Detect Windows signing secrets
219+
id: win_signing
220+
shell: bash
221+
env:
222+
WINDOWS_SIGN_PFX_BASE64: ${{ secrets.WINDOWS_SIGN_PFX_BASE64 }}
223+
WINDOWS_SIGN_PFX_PASSWORD: ${{ secrets.WINDOWS_SIGN_PFX_PASSWORD }}
224+
run: |
225+
if [ -n "${WINDOWS_SIGN_PFX_BASE64}" ] && [ -n "${WINDOWS_SIGN_PFX_PASSWORD}" ]; then
226+
echo "ready=true" >> "${GITHUB_OUTPUT}"
227+
else
228+
echo "ready=false" >> "${GITHUB_OUTPUT}"
229+
fi
230+
217231
- name: Validate Windows signing secrets (optional gate)
218232
if: ${{ github.event_name == 'workflow_dispatch' && inputs.sign_artifacts }}
219233
shell: pwsh
@@ -226,16 +240,16 @@ jobs:
226240
}
227241
228242
- name: Sign MSI (optional)
229-
if: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) }}
243+
if: >-
244+
${{
245+
(github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) ||
246+
(github.event_name == 'push' && steps.win_signing.outputs.ready == 'true')
247+
}}
230248
shell: pwsh
231249
env:
232250
WINDOWS_SIGN_PFX_BASE64: ${{ secrets.WINDOWS_SIGN_PFX_BASE64 }}
233251
WINDOWS_SIGN_PFX_PASSWORD: ${{ secrets.WINDOWS_SIGN_PFX_PASSWORD }}
234252
run: |
235-
if ([string]::IsNullOrWhiteSpace($env:WINDOWS_SIGN_PFX_BASE64) -or [string]::IsNullOrWhiteSpace($env:WINDOWS_SIGN_PFX_PASSWORD)) {
236-
Write-Host "Windows signing secrets not configured; skipping MSI signing."
237-
exit 0
238-
}
239253
$pfxPath = Join-Path $env:RUNNER_TEMP "codesign.pfx"
240254
[IO.File]::WriteAllBytes($pfxPath, [Convert]::FromBase64String($env:WINDOWS_SIGN_PFX_BASE64))
241255
$secure = ConvertTo-SecureString $env:WINDOWS_SIGN_PFX_PASSWORD -AsPlainText -Force
@@ -293,6 +307,22 @@ jobs:
293307
# "Sign and notarize DMG" step below re-signs and notarizes the artifact.
294308
uv run briefcase package --no-input --adhoc-sign -p dmg
295309
310+
- name: Detect macOS signing secrets
311+
id: mac_signing
312+
shell: bash
313+
env:
314+
APPLE_IDENTITY: ${{ secrets.APPLE_IDENTITY }}
315+
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
316+
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
317+
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
318+
run: |
319+
if [ -n "${APPLE_IDENTITY}" ] && [ -n "${APPLE_API_ISSUER}" ] && \
320+
[ -n "${APPLE_API_KEY_ID}" ] && [ -n "${APPLE_API_KEY}" ]; then
321+
echo "ready=true" >> "${GITHUB_OUTPUT}"
322+
else
323+
echo "ready=false" >> "${GITHUB_OUTPUT}"
324+
fi
325+
296326
- name: Validate macOS signing secrets (optional gate)
297327
if: ${{ github.event_name == 'workflow_dispatch' && inputs.sign_artifacts }}
298328
shell: bash
@@ -310,20 +340,18 @@ jobs:
310340
done
311341
312342
- name: Sign and notarize DMG (optional)
313-
if: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) }}
343+
if: >-
344+
${{
345+
(github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) ||
346+
(github.event_name == 'push' && steps.mac_signing.outputs.ready == 'true')
347+
}}
314348
shell: bash
315349
env:
316350
APPLE_IDENTITY: ${{ secrets.APPLE_IDENTITY }}
317351
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
318352
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
319353
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
320354
run: |
321-
for var in APPLE_IDENTITY APPLE_API_ISSUER APPLE_API_KEY_ID APPLE_API_KEY; do
322-
if [ -z "${!var}" ]; then
323-
echo "macOS signing secrets not configured; skipping notarization/signing."
324-
exit 0
325-
fi
326-
done
327355
KEY_PATH="$RUNNER_TEMP/AuthKey_${APPLE_API_KEY_ID}.p8"
328356
printf '%s' "$APPLE_API_KEY" > "$KEY_PATH"
329357
mapfile -t DMGS < <(find dist -name '*.dmg' -type f)

0 commit comments

Comments
 (0)