fix(ci): release.yml — skip code signing when no cert secrets present#355
Merged
Conversation
v0.6.58.0 third release attempt failed on macOS with: ⨯ /Users/runner/work/skytwin/skytwin/apps/desktop not a file right after `empty password will be used for code signing reason= CSC_KEY_PASSWORD is not defined`. Root cause: release.yml's Build-and-publish step sets CSC_LINK from a secret via ternary. When the secret is unset, the expression evaluates to '' (empty string), NOT undefined — so CSC_LINK IS in the environment but as empty. electron-builder then interprets the empty value as a relative path-to-cert that resolves to the CWD (apps/desktop), tries to read it as a file, finds a directory, errors out before packaging even starts. build.yml dodges this by setting CSC_IDENTITY_AUTO_DISCOVERY: 'false' and NOT setting CSC_LINK. release.yml needed the same defensive guard for the no-cert-secrets case. Fix: pair CSC_LINK with CSC_IDENTITY_AUTO_DISCOVERY computed from whether the matching secret is non-empty. When secrets are present, auto-discovery is true (and CSC_LINK takes precedence anyway). When secrets are empty, auto-discovery is false and electron-builder falls through cleanly to "skip signing" — producing the unsigned artifacts the workflow header comment already documents as expected pre-Apple-Developer-enrollment. Fourth fix in the v0.6.58.0 release-pipeline chain after: - PR #352: pnpm/action-setup v4→v5 + --publish never on build.yml - PR #353: bare pnpm build instead of --filter skytwin-desktop - PR #354: drop `--` separator before --publish flags - This: CSC_IDENTITY_AUTO_DISCOVERY fallback Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jayzalowitz
added a commit
that referenced
this pull request
May 23, 2026
Five consecutive failures of release.yml on tag v0.6.58.0: 1. pnpm/action-setup v4+version conflict (PR #352 fix) 2. `pnpm --filter skytwin-desktop build` skipped workspace deps (PR #353 fix) 3. pnpm `--` separator broke electron-builder arg parsing (PR #354 fix) 4. Empty CSC_LINK env var made electron-builder treat CWD as cert path (PR #355 attempted fix — did not actually work, see #5) 5. CSC_IDENTITY_AUTO_DISCOVERY=false isn't enough because CSC_LINK="" (set-to-empty-string, not unset) still triggers the path-resolve code path Each fix revealed the next bug because release.yml was never tested end-to-end — it's been broken since the file was committed. At 5 fixes deep, the right move is to stop fixing release.yml and use the known-working publisher pattern instead. build.yml already builds artifacts successfully on tag push via its desktop-mac/desktop-windows/desktop-linux/mobile-* matrix. PR #352 deleted build.yml's softprops-based release: job specifically to avoid double-publishing with release.yml. With release.yml deleted, that conflict is gone — restore the simpler chain: - Desktop+mobile matrix builds artifacts (already works, --publish never). - New release: job downloads via actions/download-artifact and creates a draft GitHub Release via softprops/action-gh-release@v3. Trade-off: - Lose: electron-builder's GitHub publisher integration (auto-updater channel YAML). When code signing + auto-update become priorities, add release.yml back with the lessons from #352-#355 baked in OR switch to a single workflow with electron-builder publish. - Gain: artifacts actually publish today, on an unsigned-build basis, which is what the launch plan §1.6 README rewrite needs. After this lands: re-tag v0.6.58.0 (5th attempt). build.yml's matrix runs as before, plus the new release: job downloads + publishes a draft. Operator manually clicks Publish in the GitHub UI to make the release live. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fourth release-pipeline fix. After PRs #352, #353, #354 the release workflow finally got past pnpm setup, workspace build, and arg forwarding — but immediately hit a NEW failure: `⨯ apps/desktop not a file` right after `empty password will be used for code signing reason=CSC_KEY_PASSWORD is not defined`.
Root cause: `release.yml`'s Build-and-publish step sets `CSC_LINK` from a ternary on a missing secret. When the secret is unset, the expression evaluates to `''` (empty string), NOT undefined. `CSC_LINK` is therefore IN the environment but empty. electron-builder treats empty `CSC_LINK` as a relative path-to-cert that resolves to CWD (apps/desktop) — finds a directory, errors before packaging.
Fix: pair `CSC_LINK` with `CSC_IDENTITY_AUTO_DISCOVERY` computed from whether the matching secret is non-empty. Falls through cleanly to "skip signing" when secrets are absent (producing the unsigned artifacts the workflow header already documents as expected pre-Apple-Developer-enrollment).
`build.yml` already dodged this by setting `CSC_IDENTITY_AUTO_DISCOVERY: 'false'` and never setting `CSC_LINK`. `release.yml` needed the same defensive guard.
Test plan
After merge: re-tag v0.6.58.0 (fourth attempt) → finally publish artifacts.
🤖 Generated with Claude Code