From 28fb9c4d98a51f88d0776e72b14dcff14da35812 Mon Sep 17 00:00:00 2001 From: DeeDeeG Date: Thu, 28 Sep 2023 20:44:23 -0400 Subject: [PATCH] CI: Sign binaries (only) for branch pushes, not PRs Before, we were unintentionally not signing for pushes, and only signing for PRs. We definitely *do* want to sign for pushes, (such as to `master` branch), so that Rolling releases get signed, but we probably don't need (and probably don't want?) to sign for PRs. (Regardless of whether from a fork or not.) So, this commit essentially reverses the situation from before: - DO sign for branch pushes. (Note: the workflow currently only triggers for `master` branch pushes.) - DON'T sign for any other events, such as for Pull Requests. (This change is for GitHub Actions only, as the Cirrus config was already set up in a very particular way during the migration of most binary builds to GitHub Actions, which was quite recent, and doesn't need any changes at this time.) --- .github/workflows/build.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c5ded5a53d..f56ab7a977 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -80,9 +80,10 @@ jobs: # macOS Signing Stuff - name: Build Pulsar Binaries (macOS) (Signed) - if: ${{ runner.os == 'macOS' && github.event.pull_request.head.repo.full_name == 'pulsar-edit/pulsar' }} - # PRs generated from forks cannot access GitHub Secrets - # So if the PR is a fork, we will still build, but will not sign. + if: ${{ runner.os == 'macOS' && github.event_name == 'push' }} + # Note: PRs generated from forks cannot access GitHub Secrets. + # So if the PR is from a fork, we can still build, but cannot sign. + # Note: We aren't attempting to sign for *any* PRs anymore, though. env: CSC_LINK: ${{ secrets.CSC_LINK }} CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }} @@ -97,7 +98,7 @@ jobs: command: yarn dist - name: Build Pulsar Binaries (macOS) (Unsigned) - if: ${{ runner.os == 'macOS' && github.event.pull_request.head.repo.full_name != 'pulsar-edit/pulsar' }} + if: ${{ runner.os == 'macOS' && github.event_name != 'push' }} uses: nick-fields/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd with: timeout_minutes: 30