Skip to content

Commit

Permalink
CI: Sign binaries (only) for branch pushes, not PRs
Browse files Browse the repository at this point in the history
Before, we were unintentionally not signing for pushes, and only
signing for PRs.

We definitely *do* want to sign for pushes,
(such as to `master` branch), so that Rolling releases get signed,
but we probably don't need (and probably don't want?) to sign for PRs.
(Regardless of whether from a fork or not.)

So, this commit essentially reverses the situation from before:
- DO sign for branch pushes. (Note: the workflow currently only
  triggers for `master` branch pushes.)
- DON'T sign for any other events, such as for Pull Requests.

(This change is for GitHub Actions only, as the Cirrus config was
already set up in a very particular way during the migration of most
binary builds to GitHub Actions, which was quite recent,
and doesn't need any changes at this time.)
  • Loading branch information
DeeDeeG committed Sep 29, 2023
1 parent 2696b32 commit 28fb9c4
Showing 1 changed file with 5 additions and 4 deletions.
9 changes: 5 additions & 4 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,9 +80,10 @@ jobs:
# macOS Signing Stuff
- name: Build Pulsar Binaries (macOS) (Signed)
if: ${{ runner.os == 'macOS' && github.event.pull_request.head.repo.full_name == 'pulsar-edit/pulsar' }}
# PRs generated from forks cannot access GitHub Secrets
# So if the PR is a fork, we will still build, but will not sign.
if: ${{ runner.os == 'macOS' && github.event_name == 'push' }}
# Note: PRs generated from forks cannot access GitHub Secrets.
# So if the PR is from a fork, we can still build, but cannot sign.
# Note: We aren't attempting to sign for *any* PRs anymore, though.
env:
CSC_LINK: ${{ secrets.CSC_LINK }}
CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
Expand All @@ -97,7 +98,7 @@ jobs:
command: yarn dist

- name: Build Pulsar Binaries (macOS) (Unsigned)
if: ${{ runner.os == 'macOS' && github.event.pull_request.head.repo.full_name != 'pulsar-edit/pulsar' }}
if: ${{ runner.os == 'macOS' && github.event_name != 'push' }}
uses: nick-fields/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd
with:
timeout_minutes: 30
Expand Down

0 comments on commit 28fb9c4

Please sign in to comment.