Skip to content

Commit 0f85789

Browse files
nikivdevnikivdev
committed
Fix macOS code signing in CI workflows
GitHub rejects `secrets.*` references in `if:` expressions at workflow-parse time. Move secrets to job-level env vars so conditional steps can safely check for their presence before running import-codesign-certs and codesign.
1 parent 2575991 commit 0f85789

File tree

2 files changed

+18
-12
lines changed

2 files changed

+18
-12
lines changed

.github/workflows/canary.yml

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,11 @@ env:
1818

1919
jobs:
2020
build:
21+
env:
22+
# Don't reference `secrets.*` in `if:` expressions; GitHub rejects that at workflow-parse time.
23+
MACOS_SIGN_P12_B64: ${{ secrets.MACOS_SIGN_P12_B64 }}
24+
MACOS_SIGN_P12_PASSWORD: ${{ secrets.MACOS_SIGN_P12_PASSWORD }}
25+
MACOS_SIGN_IDENTITY: ${{ secrets.MACOS_SIGN_IDENTITY }}
2126
strategy:
2227
matrix:
2328
include:
@@ -54,16 +59,14 @@ jobs:
5459
cargo build --release --target ${{ matrix.target }}
5560
5661
- name: Import code-signing certificates (macOS)
57-
if: runner.os == 'macOS' && secrets.MACOS_SIGN_P12_B64 != ''
62+
if: runner.os == 'macOS' && env.MACOS_SIGN_P12_B64 != ''
5863
uses: apple-actions/import-codesign-certs@v3
5964
with:
60-
p12-file-base64: ${{ secrets.MACOS_SIGN_P12_B64 }}
61-
p12-password: ${{ secrets.MACOS_SIGN_P12_PASSWORD }}
65+
p12-file-base64: ${{ env.MACOS_SIGN_P12_B64 }}
66+
p12-password: ${{ env.MACOS_SIGN_P12_PASSWORD }}
6267

6368
- name: Codesign (macOS)
64-
if: runner.os == 'macOS' && secrets.MACOS_SIGN_P12_B64 != '' && secrets.MACOS_SIGN_IDENTITY != ''
65-
env:
66-
MACOS_SIGN_IDENTITY: ${{ secrets.MACOS_SIGN_IDENTITY }}
69+
if: runner.os == 'macOS' && env.MACOS_SIGN_P12_B64 != '' && env.MACOS_SIGN_IDENTITY != ''
6770
run: |
6871
BIN="target/${{ matrix.target }}/release/f"
6972
codesign --force --options runtime --timestamp --sign "$MACOS_SIGN_IDENTITY" "$BIN"

.github/workflows/release.yml

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,11 @@ env:
1313

1414
jobs:
1515
build:
16+
env:
17+
# Don't reference `secrets.*` in `if:` expressions; GitHub rejects that at workflow-parse time.
18+
MACOS_SIGN_P12_B64: ${{ secrets.MACOS_SIGN_P12_B64 }}
19+
MACOS_SIGN_P12_PASSWORD: ${{ secrets.MACOS_SIGN_P12_PASSWORD }}
20+
MACOS_SIGN_IDENTITY: ${{ secrets.MACOS_SIGN_IDENTITY }}
1621
strategy:
1722
matrix:
1823
include:
@@ -49,16 +54,14 @@ jobs:
4954
cargo build --release --target ${{ matrix.target }}
5055
5156
- name: Import code-signing certificates (macOS)
52-
if: runner.os == 'macOS' && secrets.MACOS_SIGN_P12_B64 != ''
57+
if: runner.os == 'macOS' && env.MACOS_SIGN_P12_B64 != ''
5358
uses: apple-actions/import-codesign-certs@v3
5459
with:
55-
p12-file-base64: ${{ secrets.MACOS_SIGN_P12_B64 }}
56-
p12-password: ${{ secrets.MACOS_SIGN_P12_PASSWORD }}
60+
p12-file-base64: ${{ env.MACOS_SIGN_P12_B64 }}
61+
p12-password: ${{ env.MACOS_SIGN_P12_PASSWORD }}
5762

5863
- name: Codesign (macOS)
59-
if: runner.os == 'macOS' && secrets.MACOS_SIGN_P12_B64 != '' && secrets.MACOS_SIGN_IDENTITY != ''
60-
env:
61-
MACOS_SIGN_IDENTITY: ${{ secrets.MACOS_SIGN_IDENTITY }}
64+
if: runner.os == 'macOS' && env.MACOS_SIGN_P12_B64 != '' && env.MACOS_SIGN_IDENTITY != ''
6265
run: |
6366
BIN="target/${{ matrix.target }}/release/f"
6467
codesign --force --options runtime --timestamp --sign "$MACOS_SIGN_IDENTITY" "$BIN"

0 commit comments

Comments
 (0)