Skip to content

Commit 3be13a8

Browse files
Add workflow verification
1 parent 91f26b3 commit 3be13a8

3 files changed

Lines changed: 34 additions & 2 deletions

File tree

.github/workflows/ci.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,17 @@ on:
99
- "**"
1010

1111
jobs:
12+
workflow-lint:
13+
name: Workflow lint (actionlint)
14+
runs-on: ubuntu-latest
15+
16+
steps:
17+
- name: Checkout repository
18+
uses: actions/checkout@v6
19+
20+
- name: Lint GitHub workflow files
21+
uses: rhysd/actionlint@v1
22+
1223
lint:
1324
name: Lint
1425
runs-on: ubuntu-latest

.github/workflows/release.yml

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,12 @@ jobs:
7171
dotnet tool install --global wix --version "5.*"
7272
"$env:USERPROFILE\.dotnet\tools" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
7373
wix --version
74+
# Briefcase can use WIX env var; point it at the known-good CLI install.
75+
$wixExe = Join-Path $env:USERPROFILE ".dotnet\tools\wix.exe"
76+
if (-not (Test-Path $wixExe)) {
77+
throw "WiX executable not found at expected path: $wixExe"
78+
}
79+
"WIX=$wixExe" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
7480
7581
- name: Sync dependencies (incl. build / Briefcase)
7682
run: |
@@ -96,12 +102,16 @@ jobs:
96102
}
97103
98104
- name: Sign MSI (optional)
99-
if: ${{ secrets.WINDOWS_SIGN_PFX_BASE64 != '' && secrets.WINDOWS_SIGN_PFX_PASSWORD != '' && (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.sign_artifacts)) }}
105+
if: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) }}
100106
shell: pwsh
101107
env:
102108
WINDOWS_SIGN_PFX_BASE64: ${{ secrets.WINDOWS_SIGN_PFX_BASE64 }}
103109
WINDOWS_SIGN_PFX_PASSWORD: ${{ secrets.WINDOWS_SIGN_PFX_PASSWORD }}
104110
run: |
111+
if ([string]::IsNullOrWhiteSpace($env:WINDOWS_SIGN_PFX_BASE64) -or [string]::IsNullOrWhiteSpace($env:WINDOWS_SIGN_PFX_PASSWORD)) {
112+
Write-Host "Windows signing secrets not configured; skipping MSI signing."
113+
exit 0
114+
}
105115
$pfxPath = Join-Path $env:RUNNER_TEMP "codesign.pfx"
106116
[IO.File]::WriteAllBytes($pfxPath, [Convert]::FromBase64String($env:WINDOWS_SIGN_PFX_BASE64))
107117
$secure = ConvertTo-SecureString $env:WINDOWS_SIGN_PFX_PASSWORD -AsPlainText -Force
@@ -162,14 +172,20 @@ jobs:
162172
done
163173
164174
- name: Sign and notarize DMG (optional)
165-
if: ${{ secrets.APPLE_IDENTITY != '' && secrets.APPLE_API_ISSUER != '' && secrets.APPLE_API_KEY_ID != '' && secrets.APPLE_API_KEY != '' && (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.sign_artifacts)) }}
175+
if: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) }}
166176
shell: bash
167177
env:
168178
APPLE_IDENTITY: ${{ secrets.APPLE_IDENTITY }}
169179
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
170180
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
171181
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
172182
run: |
183+
for var in APPLE_IDENTITY APPLE_API_ISSUER APPLE_API_KEY_ID APPLE_API_KEY; do
184+
if [ -z "${!var}" ]; then
185+
echo "macOS signing secrets not configured; skipping notarization/signing."
186+
exit 0
187+
fi
188+
done
173189
KEY_PATH="$RUNNER_TEMP/AuthKey_${APPLE_API_KEY_ID}.p8"
174190
printf '%s' "$APPLE_API_KEY" > "$KEY_PATH"
175191
mapfile -t DMGS < <(find dist -name '*.dmg' -type f)

.pre-commit-config.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
repos:
2+
- repo: https://github.com/rhysd/actionlint
3+
rev: v1.7.8
4+
hooks:
5+
- id: actionlint
6+
27
- repo: https://github.com/astral-sh/uv-pre-commit
38
rev: 0.11.5
49
hooks:

0 commit comments

Comments
 (0)