@@ -214,6 +214,20 @@ jobs:
214214 uv run briefcase build --no-input
215215 uv run briefcase package --no-input -p msi
216216
217+ # step.if cannot use secrets.* (actionlint / GHA); probe via env then gate signing.
218+ - name : Detect Windows signing secrets
219+ id : win_signing
220+ shell : bash
221+ env :
222+ WINDOWS_SIGN_PFX_BASE64 : ${{ secrets.WINDOWS_SIGN_PFX_BASE64 }}
223+ WINDOWS_SIGN_PFX_PASSWORD : ${{ secrets.WINDOWS_SIGN_PFX_PASSWORD }}
224+ run : |
225+ if [ -n "${WINDOWS_SIGN_PFX_BASE64}" ] && [ -n "${WINDOWS_SIGN_PFX_PASSWORD}" ]; then
226+ echo "ready=true" >> "${GITHUB_OUTPUT}"
227+ else
228+ echo "ready=false" >> "${GITHUB_OUTPUT}"
229+ fi
230+
217231 - name : Validate Windows signing secrets (optional gate)
218232 if : ${{ github.event_name == 'workflow_dispatch' && inputs.sign_artifacts }}
219233 shell : pwsh
@@ -226,16 +240,16 @@ jobs:
226240 }
227241
228242 - name : Sign MSI (optional)
229- if : ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) }}
243+ if : >-
244+ ${{
245+ (github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) ||
246+ (github.event_name == 'push' && steps.win_signing.outputs.ready == 'true')
247+ }}
230248 shell : pwsh
231249 env :
232250 WINDOWS_SIGN_PFX_BASE64 : ${{ secrets.WINDOWS_SIGN_PFX_BASE64 }}
233251 WINDOWS_SIGN_PFX_PASSWORD : ${{ secrets.WINDOWS_SIGN_PFX_PASSWORD }}
234252 run : |
235- if ([string]::IsNullOrWhiteSpace($env:WINDOWS_SIGN_PFX_BASE64) -or [string]::IsNullOrWhiteSpace($env:WINDOWS_SIGN_PFX_PASSWORD)) {
236- Write-Host "Windows signing secrets not configured; skipping MSI signing."
237- exit 0
238- }
239253 $pfxPath = Join-Path $env:RUNNER_TEMP "codesign.pfx"
240254 [IO.File]::WriteAllBytes($pfxPath, [Convert]::FromBase64String($env:WINDOWS_SIGN_PFX_BASE64))
241255 $secure = ConvertTo-SecureString $env:WINDOWS_SIGN_PFX_PASSWORD -AsPlainText -Force
@@ -293,6 +307,22 @@ jobs:
293307 # "Sign and notarize DMG" step below re-signs and notarizes the artifact.
294308 uv run briefcase package --no-input --adhoc-sign -p dmg
295309
310+ - name : Detect macOS signing secrets
311+ id : mac_signing
312+ shell : bash
313+ env :
314+ APPLE_IDENTITY : ${{ secrets.APPLE_IDENTITY }}
315+ APPLE_API_ISSUER : ${{ secrets.APPLE_API_ISSUER }}
316+ APPLE_API_KEY_ID : ${{ secrets.APPLE_API_KEY_ID }}
317+ APPLE_API_KEY : ${{ secrets.APPLE_API_KEY }}
318+ run : |
319+ if [ -n "${APPLE_IDENTITY}" ] && [ -n "${APPLE_API_ISSUER}" ] && \
320+ [ -n "${APPLE_API_KEY_ID}" ] && [ -n "${APPLE_API_KEY}" ]; then
321+ echo "ready=true" >> "${GITHUB_OUTPUT}"
322+ else
323+ echo "ready=false" >> "${GITHUB_OUTPUT}"
324+ fi
325+
296326 - name : Validate macOS signing secrets (optional gate)
297327 if : ${{ github.event_name == 'workflow_dispatch' && inputs.sign_artifacts }}
298328 shell : bash
@@ -310,20 +340,18 @@ jobs:
310340 done
311341
312342 - name : Sign and notarize DMG (optional)
313- if : ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) }}
343+ if : >-
344+ ${{
345+ (github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) ||
346+ (github.event_name == 'push' && steps.mac_signing.outputs.ready == 'true')
347+ }}
314348 shell : bash
315349 env :
316350 APPLE_IDENTITY : ${{ secrets.APPLE_IDENTITY }}
317351 APPLE_API_ISSUER : ${{ secrets.APPLE_API_ISSUER }}
318352 APPLE_API_KEY_ID : ${{ secrets.APPLE_API_KEY_ID }}
319353 APPLE_API_KEY : ${{ secrets.APPLE_API_KEY }}
320354 run : |
321- for var in APPLE_IDENTITY APPLE_API_ISSUER APPLE_API_KEY_ID APPLE_API_KEY; do
322- if [ -z "${!var}" ]; then
323- echo "macOS signing secrets not configured; skipping notarization/signing."
324- exit 0
325- fi
326- done
327355 KEY_PATH="$RUNNER_TEMP/AuthKey_${APPLE_API_KEY_ID}.p8"
328356 printf '%s' "$APPLE_API_KEY" > "$KEY_PATH"
329357 mapfile -t DMGS < <(find dist -name '*.dmg' -type f)
0 commit comments