ci(release): move ed25519 signing gate from secrets.X to env.X

hoangsonww · hoangsonww · commit b02fba575159 · 2026-04-20T16:33:46.000-04:00
GitHub Actions evaluates `if:` at workflow-parse time and doesn't expose
the `secrets` context there, so `if: secrets.FOO != ''` is an invalid
workflow. Use the standard pattern: inject the secret into `env:` (which
IS available at runtime), then gate on `env.X != ''`.

Also swap `echo` for `printf '%s'` so trailing newlines don't corrupt
the key bytes on read.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -164,9 +164,11 @@ jobs:
           EOF
           cat manifest.json
       - name: Sign manifest (ed25519)
-        if: ${{ secrets.FORGE_RELEASE_ED25519_PRIV != '' }}
+        env:
+          ED25519_KEY: ${{ secrets.FORGE_RELEASE_ED25519_PRIV }}
+        if: env.ED25519_KEY != ''
         run: |
-          echo "${{ secrets.FORGE_RELEASE_ED25519_PRIV }}" > /tmp/ed25519.key
+          printf '%s' "$ED25519_KEY" > /tmp/ed25519.key
           openssl pkeyutl -sign -inkey /tmp/ed25519.key -rawin -in manifest.json -out manifest.sig.bin
           base64 -w0 manifest.sig.bin > manifest.sig
       - uses: softprops/action-gh-release@v2
