Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 40 additions & 12 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,20 @@ jobs:
uv run briefcase build --no-input
uv run briefcase package --no-input -p msi

# step.if cannot use secrets.* (actionlint / GHA); probe via env then gate signing.
- name: Detect Windows signing secrets
id: win_signing
shell: bash
env:
WINDOWS_SIGN_PFX_BASE64: ${{ secrets.WINDOWS_SIGN_PFX_BASE64 }}
WINDOWS_SIGN_PFX_PASSWORD: ${{ secrets.WINDOWS_SIGN_PFX_PASSWORD }}
run: |
if [ -n "${WINDOWS_SIGN_PFX_BASE64}" ] && [ -n "${WINDOWS_SIGN_PFX_PASSWORD}" ]; then
echo "ready=true" >> "${GITHUB_OUTPUT}"
else
echo "ready=false" >> "${GITHUB_OUTPUT}"
fi

- name: Validate Windows signing secrets (optional gate)
if: ${{ github.event_name == 'workflow_dispatch' && inputs.sign_artifacts }}
shell: pwsh
Expand All @@ -226,16 +240,16 @@ jobs:
}

- name: Sign MSI (optional)
if: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) }}
if: >-
${{
(github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) ||
(github.event_name == 'push' && steps.win_signing.outputs.ready == 'true')
}}
shell: pwsh
env:
WINDOWS_SIGN_PFX_BASE64: ${{ secrets.WINDOWS_SIGN_PFX_BASE64 }}
WINDOWS_SIGN_PFX_PASSWORD: ${{ secrets.WINDOWS_SIGN_PFX_PASSWORD }}
run: |
if ([string]::IsNullOrWhiteSpace($env:WINDOWS_SIGN_PFX_BASE64) -or [string]::IsNullOrWhiteSpace($env:WINDOWS_SIGN_PFX_PASSWORD)) {
Write-Host "Windows signing secrets not configured; skipping MSI signing."
exit 0
}
$pfxPath = Join-Path $env:RUNNER_TEMP "codesign.pfx"
[IO.File]::WriteAllBytes($pfxPath, [Convert]::FromBase64String($env:WINDOWS_SIGN_PFX_BASE64))
$secure = ConvertTo-SecureString $env:WINDOWS_SIGN_PFX_PASSWORD -AsPlainText -Force
Expand Down Expand Up @@ -293,6 +307,22 @@ jobs:
# "Sign and notarize DMG" step below re-signs and notarizes the artifact.
uv run briefcase package --no-input --adhoc-sign -p dmg

- name: Detect macOS signing secrets
id: mac_signing
shell: bash
env:
APPLE_IDENTITY: ${{ secrets.APPLE_IDENTITY }}
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
run: |
if [ -n "${APPLE_IDENTITY}" ] && [ -n "${APPLE_API_ISSUER}" ] && \
[ -n "${APPLE_API_KEY_ID}" ] && [ -n "${APPLE_API_KEY}" ]; then
echo "ready=true" >> "${GITHUB_OUTPUT}"
else
echo "ready=false" >> "${GITHUB_OUTPUT}"
fi

- name: Validate macOS signing secrets (optional gate)
if: ${{ github.event_name == 'workflow_dispatch' && inputs.sign_artifacts }}
shell: bash
Expand All @@ -310,20 +340,18 @@ jobs:
done

- name: Sign and notarize DMG (optional)
if: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) }}
if: >-
${{
(github.event_name == 'workflow_dispatch' && inputs.sign_artifacts) ||
(github.event_name == 'push' && steps.mac_signing.outputs.ready == 'true')
}}
shell: bash
env:
APPLE_IDENTITY: ${{ secrets.APPLE_IDENTITY }}
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
run: |
for var in APPLE_IDENTITY APPLE_API_ISSUER APPLE_API_KEY_ID APPLE_API_KEY; do
if [ -z "${!var}" ]; then
echo "macOS signing secrets not configured; skipping notarization/signing."
exit 0
fi
done
KEY_PATH="$RUNNER_TEMP/AuthKey_${APPLE_API_KEY_ID}.p8"
printf '%s' "$APPLE_API_KEY" > "$KEY_PATH"
mapfile -t DMGS < <(find dist -name '*.dmg' -type f)
Expand Down