Skip to content

fix(ci): skip updater signing on PR builds from forks/Dependabot#203

Open
tylergraydev wants to merge 2 commits intomainfrom
fix/ci-skip-updater-signing-on-pr
Open

fix(ci): skip updater signing on PR builds from forks/Dependabot#203
tylergraydev wants to merge 2 commits intomainfrom
fix/ci-skip-updater-signing-on-pr

Conversation

@tylergraydev
Copy link
Copy Markdown
Owner

@tylergraydev tylergraydev commented Apr 21, 2026

Summary

Every PR from a fork (Scot Campbell's prefrontalsys/*) and every Dependabot PR has shown 4/10 red build checks. Root cause is a combination of three things:

  1. src-tauri/tauri.conf.json has "createUpdaterArtifacts": true globally, so every build tries to sign the updater bundle.
  2. build.yml passed TAURI_SIGNING_PRIVATE_KEY + ..._PASSWORD unconditionally to tauri-action. The comment on the old line 119 claimed "Only use signing keys on push to main" but the gate was never implemented.
  3. GitHub withholds repo secrets from workflows triggered by fork PRs and by Dependabot — so ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} evaluates to "" in those contexts.

Net effect: tauri-action tries to decode "" as a minisign secret, minisign rejects it with Missing comment in secret key, and all 4 matrix jobs fail red despite Rust compilation + bundling completing successfully.

Evidence:

Fix

Split Build Tauri app into two if:-gated steps keyed on github.event_name:

  • pull_request: no signing env vars; --bundles excludes the updater target. Per-platform bundle list (deb,rpm,appimage / nsis,msi / app,dmg) preserves the upload-artifacts if-no-files-found: error contract by ensuring a bundle dir is always produced. macOS x86_64-apple-darwin keeps its existing quirk of emitting only app (dropping the updater it used to emit).
  • push: unchanged — same env vars, same args, same macOS x86_64 app,updater special case.

release.yml is untouched since it only runs on tag push, where secrets are always exposed.

Test plan

  • This PR itself should show green build checks across all 4 platforms (no more signing error).
  • Next push to main (e.g. a version-bump commit after this merges) should still produce signed updater artifacts — verify by checking the build log for "Signing..." lines and the bundle output for .sig files.
  • Next Dependabot PR should show green build checks.

🤖 Generated with Claude Code

Tyler Gray added 2 commits April 21, 2026 12:12
fix(ci): skip updater signing on PR builds
d139d53 
PRs from forks (prefrontalsys/*) and Dependabot can't read repo secrets,
so ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} evaluates to "" and
tauri-action fails with "Missing comment in secret key" after an
otherwise-successful Rust build. The old comment claimed signing only
ran on pushes to main, but the gate was never implemented.

Split the Build Tauri app step by github.event_name:
- pull_request: no signing env vars, --bundles omits the updater target
  (per-platform bundle list preserves the existing upload-artifacts
  if-no-files-found: error contract).
- push: unchanged behavior -- signed artifacts with the macOS x86_64
  app+updater special case intact.

Release workflow untouched since it only runs on tag push.
fix(ci): override createUpdaterArtifacts=false on PR builds
37cc321 
Previous attempt gated the signing env vars behind github.event_name,
but tauri build still fails with "A public key has been found, but no
private key" because pubkey in tauri.conf.json triggers the signing
check independent of --bundles. Override bundle.createUpdaterArtifacts
to false via inline --config JSON for PR builds.

Also simplified the per-platform --bundles list -- unnecessary now that
createUpdaterArtifacts is off. Kept the macOS x86_64 "--bundles app"
quirk to mirror the push step's "--bundles app,updater".
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tylergraydev