deepend/zoitechat
1
0
Fork 0
mirror of https://github.com/ZoiteChat/zoitechat.git synced 2026-03-10 07:50:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixed the invalid workflow expression by removing secrets.* checks from the job-level if on macos_release_signed (job-level expressions can’t reference secrets in that way).

Browse Source 
Added a Check signing secrets availability step that inspects all required Apple signing/notarization secrets and emits a ready output for downstream gating.

Added an explicit skip message step when secrets are missing, and gated all signing/notarization/artifact-upload steps behind steps.signing_secrets.outputs.ready == 'true' so the workflow remains valid while preserving intended behavior.
This commit is contained in:
deepend
2026-02-18 11:01:52 -07:00
parent 04b8f1d5fa
commit 857c8918d8
1 changed files with 44 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
.github/workflows/macos-build.yml vendored
View File

@@ -78,22 +78,56 @@ jobs:
runs-on: macos-latest
if: >-
github.event_name == 'push' &&
github.ref == 'refs/heads/master' &&
secrets.APPLE_DEVELOPER_ID_APPLICATION != '' &&
secrets.APPLE_DEVELOPER_ID_CERT_P12 != '' &&
secrets.APPLE_DEVELOPER_ID_CERT_P12_PASSWORD != '' &&
secrets.APPLE_NOTARY_API_KEY != '' &&
secrets.APPLE_NOTARY_API_KEY_ID != '' &&
secrets.APPLE_NOTARY_ISSUER_ID != ''
github.ref == 'refs/heads/master'
steps:
- name: Check signing secrets availability
id: signing_secrets
env:
APPLE_DEVELOPER_ID_APPLICATION: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION }}
APPLE_DEVELOPER_ID_CERT_P12: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12 }}
APPLE_DEVELOPER_ID_CERT_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12_PASSWORD }}
APPLE_NOTARY_API_KEY: ${{ secrets.APPLE_NOTARY_API_KEY }}
APPLE_NOTARY_API_KEY_ID: ${{ secrets.APPLE_NOTARY_API_KEY_ID }}
APPLE_NOTARY_ISSUER_ID: ${{ secrets.APPLE_NOTARY_ISSUER_ID }}
run: |
set -eu
required_secrets=(
APPLE_DEVELOPER_ID_APPLICATION
APPLE_DEVELOPER_ID_CERT_P12
APPLE_DEVELOPER_ID_CERT_P12_PASSWORD
APPLE_NOTARY_API_KEY
APPLE_NOTARY_API_KEY_ID
APPLE_NOTARY_ISSUER_ID
)
missing=0
for key in "${required_secrets[@]}"; do
if [ -z "${!key:-}" ]; then
echo "Missing secret: $key"
missing=1
fi
done
if [ "$missing" -eq 1 ]; then
echo "ready=false" >> "$GITHUB_OUTPUT"
else
echo "ready=true" >> "$GITHUB_OUTPUT"
fi
- name: Skip signing because required secrets are missing
if: steps.signing_secrets.outputs.ready != 'true'
run: echo "Signing and notarization skipped due to missing required secrets."
- name: Download unsigned app artifact
if: steps.signing_secrets.outputs.ready == 'true'
uses: actions/download-artifact@v4
with:
name: zoitechat-macos-unsigned
path: dist
- name: Import Developer ID certificate
if: steps.signing_secrets.outputs.ready == 'true'
env:
CERT_P12_BASE64: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12 }}
CERT_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12_PASSWORD }}
@@ -109,6 +143,7 @@ jobs:
security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain
- name: Codesign app bundle
if: steps.signing_secrets.outputs.ready == 'true'
env:
CODESIGN_IDENTITY: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION }}
run: |
@@ -123,6 +158,7 @@ jobs:
spctl --assess --type execute --verbose "$APP_PATH"
- name: Notarize and staple
if: steps.signing_secrets.outputs.ready == 'true'
env:
NOTARY_API_KEY_BASE64: ${{ secrets.APPLE_NOTARY_API_KEY }}
NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_API_KEY_ID }}
@@ -148,6 +184,7 @@ jobs:
ditto -c -k --sequesterRsrc --keepParent "$APP_PATH" "$SIGNED_ZIP"
- name: Upload signed macOS app artifact
if: steps.signing_secrets.outputs.ready == 'true'
uses: actions/upload-artifact@v4
with:
name: zoitechat-macos-signed