fix(ci): skip updater signing on PR builds from forks/Dependabot (#203)

tylergraydev · Tyler Gray · web-flow · commit 3482eec16cce · 2026-04-22T12:23:55.000-04:00
* fix(ci): skip updater signing on PR builds

PRs from forks (prefrontalsys/*) and Dependabot can't read repo secrets,
so ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} evaluates to "" and
tauri-action fails with "Missing comment in secret key" after an
otherwise-successful Rust build. The old comment claimed signing only
ran on pushes to main, but the gate was never implemented.

Split the Build Tauri app step by github.event_name:
- pull_request: no signing env vars, --bundles omits the updater target
  (per-platform bundle list preserves the existing upload-artifacts
  if-no-files-found: error contract).
- push: unchanged behavior -- signed artifacts with the macOS x86_64
  app+updater special case intact.

Release workflow untouched since it only runs on tag push.

* fix(ci): override createUpdaterArtifacts=false on PR builds

Previous attempt gated the signing env vars behind github.event_name,
but tauri build still fails with "A public key has been found, but no
private key" because pubkey in tauri.conf.json triggers the signing
check independent of --bundles. Override bundle.createUpdaterArtifacts
to false via inline --config JSON for PR builds.

Also simplified the per-platform --bundles list -- unnecessary now that
createUpdaterArtifacts is off. Kept the macOS x86_64 "--bundles app"
quirk to mirror the push step's "--bundles app,updater".

---------

Co-authored-by: Tyler Gray &lt;tylerg@emergentsoftware.net&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -112,11 +112,23 @@ jobs:
       - name: Install frontend dependencies
         run: npm ci
 
-      - name: Build Tauri app
+      # Disable updater artifacts on PR builds: fork/Dependabot PRs can't read secrets, and tauri refuses to build when pubkey is set in config but no private key is available.
+      - name: Build Tauri app (PR — updater disabled)
+        if: github.event_name == 'pull_request'
+        uses: tauri-apps/tauri-action@v0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          args: >-
+            --target ${{ matrix.target }}
+            --config {"bundle":{"createUpdaterArtifacts":false}}
+            ${{ matrix.target == 'x86_64-apple-darwin' && '--bundles app' || '' }}
+
+      - name: Build Tauri app (push to main — signed)
+        if: github.event_name == 'push'
         uses: tauri-apps/tauri-action@v0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # Only use signing keys on push to main (PRs don't need signed artifacts)
           TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
           TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
         with:
