Fixed the invalid workflow expression by removing secrets.* checks from the job-level if on macos_release_signed (job-level expressions can’t reference secrets in that way).

Added a Check signing secrets availability step that inspects all required Apple signing/notarization secrets and emits a ready output for downstream gating.

Added an explicit skip message step when secrets are missing, and gated all signing/notarization/artifact-upload steps behind steps.signing_secrets.outputs.ready == 'true' so the workflow remains valid while preserving intended behavior.

.github/workflows/macos-build.yml

@@ -78,22 +78,56 @@ jobs:
     runs-on: macos-latest
     if: >-
       github.event_name == 'push' &&
-      github.ref == 'refs/heads/master' &&
+      github.ref == 'refs/heads/master'
-      secrets.APPLE_DEVELOPER_ID_APPLICATION != '' &&
-      secrets.APPLE_DEVELOPER_ID_CERT_P12 != '' &&
-      secrets.APPLE_DEVELOPER_ID_CERT_P12_PASSWORD != '' &&
-      secrets.APPLE_NOTARY_API_KEY != '' &&
-      secrets.APPLE_NOTARY_API_KEY_ID != '' &&
-      secrets.APPLE_NOTARY_ISSUER_ID != ''
 
     steps:
+      - name: Check signing secrets availability
+        id: signing_secrets
+        env:
+          APPLE_DEVELOPER_ID_APPLICATION: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION }}
+          APPLE_DEVELOPER_ID_CERT_P12: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12 }}
+          APPLE_DEVELOPER_ID_CERT_P12_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12_PASSWORD }}
+          APPLE_NOTARY_API_KEY: ${{ secrets.APPLE_NOTARY_API_KEY }}
+          APPLE_NOTARY_API_KEY_ID: ${{ secrets.APPLE_NOTARY_API_KEY_ID }}
+          APPLE_NOTARY_ISSUER_ID: ${{ secrets.APPLE_NOTARY_ISSUER_ID }}
+        run: |
+          set -eu
+          required_secrets=(
+            APPLE_DEVELOPER_ID_APPLICATION
+            APPLE_DEVELOPER_ID_CERT_P12
+            APPLE_DEVELOPER_ID_CERT_P12_PASSWORD
+            APPLE_NOTARY_API_KEY
+            APPLE_NOTARY_API_KEY_ID
+            APPLE_NOTARY_ISSUER_ID
+          )
+
+          missing=0
+          for key in "${required_secrets[@]}"; do
+            if [ -z "${!key:-}" ]; then
+              echo "Missing secret: $key"
+              missing=1
+            fi
+          done
+
+          if [ "$missing" -eq 1 ]; then
+            echo "ready=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "ready=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Skip signing because required secrets are missing
+        if: steps.signing_secrets.outputs.ready != 'true'
+        run: echo "Signing and notarization skipped due to missing required secrets."
+
       - name: Download unsigned app artifact
+        if: steps.signing_secrets.outputs.ready == 'true'
         uses: actions/download-artifact@v4
         with:
           name: zoitechat-macos-unsigned
           path: dist
 
       - name: Import Developer ID certificate
+        if: steps.signing_secrets.outputs.ready == 'true'
         env:
           CERT_P12_BASE64: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12 }}
           CERT_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12_PASSWORD }}
@@ -109,6 +143,7 @@ jobs:
           security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain
 
       - name: Codesign app bundle
+        if: steps.signing_secrets.outputs.ready == 'true'
         env:
           CODESIGN_IDENTITY: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION }}
         run: |
@@ -123,6 +158,7 @@ jobs:
           spctl --assess --type execute --verbose "$APP_PATH"
 
       - name: Notarize and staple
+        if: steps.signing_secrets.outputs.ready == 'true'
         env:
           NOTARY_API_KEY_BASE64: ${{ secrets.APPLE_NOTARY_API_KEY }}
           NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_API_KEY_ID }}
@@ -148,6 +184,7 @@ jobs:
           ditto -c -k --sequesterRsrc --keepParent "$APP_PATH" "$SIGNED_ZIP"
 
       - name: Upload signed macOS app artifact
+        if: steps.signing_secrets.outputs.ready == 'true'
         uses: actions/upload-artifact@v4
         with:
           name: zoitechat-macos-signed