From 857c8918d8fad81014d76480d09f39ec4e161cc3 Mon Sep 17 00:00:00 2001 From: deepend Date: Wed, 18 Feb 2026 11:01:52 -0700 Subject: [PATCH] =?UTF-8?q?Fixed=20the=20invalid=20workflow=20expression?= =?UTF-8?q?=20by=20removing=20secrets.*=20checks=20from=20the=20job-level?= =?UTF-8?q?=20if=20on=20macos=5Frelease=5Fsigned=20(job-level=20expression?= =?UTF-8?q?s=20can=E2=80=99t=20reference=20secrets=20in=20that=20way).?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added a Check signing secrets availability step that inspects all required Apple signing/notarization secrets and emits a ready output for downstream gating. Added an explicit skip message step when secrets are missing, and gated all signing/notarization/artifact-upload steps behind steps.signing_secrets.outputs.ready == 'true' so the workflow remains valid while preserving intended behavior. --- .github/workflows/macos-build.yml | 51 ++++++++++++++++++++++++++----- 1 file changed, 44 insertions(+), 7 deletions(-) diff --git a/.github/workflows/macos-build.yml b/.github/workflows/macos-build.yml index 949d55ed..0371857a 100644 --- a/.github/workflows/macos-build.yml +++ b/.github/workflows/macos-build.yml @@ -78,22 +78,56 @@ jobs: runs-on: macos-latest if: >- github.event_name == 'push' && - github.ref == 'refs/heads/master' && - secrets.APPLE_DEVELOPER_ID_APPLICATION != '' && - secrets.APPLE_DEVELOPER_ID_CERT_P12 != '' && - secrets.APPLE_DEVELOPER_ID_CERT_P12_PASSWORD != '' && - secrets.APPLE_NOTARY_API_KEY != '' && - secrets.APPLE_NOTARY_API_KEY_ID != '' && - secrets.APPLE_NOTARY_ISSUER_ID != '' + github.ref == 'refs/heads/master' steps: + - name: Check signing secrets availability + id: signing_secrets + env: + APPLE_DEVELOPER_ID_APPLICATION: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION }} + APPLE_DEVELOPER_ID_CERT_P12: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12 }} + APPLE_DEVELOPER_ID_CERT_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12_PASSWORD }} + APPLE_NOTARY_API_KEY: ${{ secrets.APPLE_NOTARY_API_KEY }} + APPLE_NOTARY_API_KEY_ID: ${{ secrets.APPLE_NOTARY_API_KEY_ID }} + APPLE_NOTARY_ISSUER_ID: ${{ secrets.APPLE_NOTARY_ISSUER_ID }} + run: | + set -eu + required_secrets=( + APPLE_DEVELOPER_ID_APPLICATION + APPLE_DEVELOPER_ID_CERT_P12 + APPLE_DEVELOPER_ID_CERT_P12_PASSWORD + APPLE_NOTARY_API_KEY + APPLE_NOTARY_API_KEY_ID + APPLE_NOTARY_ISSUER_ID + ) + + missing=0 + for key in "${required_secrets[@]}"; do + if [ -z "${!key:-}" ]; then + echo "Missing secret: $key" + missing=1 + fi + done + + if [ "$missing" -eq 1 ]; then + echo "ready=false" >> "$GITHUB_OUTPUT" + else + echo "ready=true" >> "$GITHUB_OUTPUT" + fi + + - name: Skip signing because required secrets are missing + if: steps.signing_secrets.outputs.ready != 'true' + run: echo "Signing and notarization skipped due to missing required secrets." + - name: Download unsigned app artifact + if: steps.signing_secrets.outputs.ready == 'true' uses: actions/download-artifact@v4 with: name: zoitechat-macos-unsigned path: dist - name: Import Developer ID certificate + if: steps.signing_secrets.outputs.ready == 'true' env: CERT_P12_BASE64: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12 }} CERT_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12_PASSWORD }} @@ -109,6 +143,7 @@ jobs: security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain - name: Codesign app bundle + if: steps.signing_secrets.outputs.ready == 'true' env: CODESIGN_IDENTITY: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION }} run: | @@ -123,6 +158,7 @@ jobs: spctl --assess --type execute --verbose "$APP_PATH" - name: Notarize and staple + if: steps.signing_secrets.outputs.ready == 'true' env: NOTARY_API_KEY_BASE64: ${{ secrets.APPLE_NOTARY_API_KEY }} NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_API_KEY_ID }} @@ -148,6 +184,7 @@ jobs: ditto -c -k --sequesterRsrc --keepParent "$APP_PATH" "$SIGNED_ZIP" - name: Upload signed macOS app artifact + if: steps.signing_secrets.outputs.ready == 'true' uses: actions/upload-artifact@v4 with: name: zoitechat-macos-signed