fix(ci): skip updater signing on PR builds from forks/Dependabot#203
Merged
Conversation
added 2 commits
April 21, 2026 12:12
PRs from forks (prefrontalsys/*) and Dependabot can't read repo secrets,
so ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} evaluates to "" and
tauri-action fails with "Missing comment in secret key" after an
otherwise-successful Rust build. The old comment claimed signing only
ran on pushes to main, but the gate was never implemented.
Split the Build Tauri app step by github.event_name:
- pull_request: no signing env vars, --bundles omits the updater target
(per-platform bundle list preserves the existing upload-artifacts
if-no-files-found: error contract).
- push: unchanged behavior -- signed artifacts with the macOS x86_64
app+updater special case intact.
Release workflow untouched since it only runs on tag push.
Previous attempt gated the signing env vars behind github.event_name, but tauri build still fails with "A public key has been found, but no private key" because pubkey in tauri.conf.json triggers the signing check independent of --bundles. Override bundle.createUpdaterArtifacts to false via inline --config JSON for PR builds. Also simplified the per-platform --bundles list -- unnecessary now that createUpdaterArtifacts is off. Kept the macOS x86_64 "--bundles app" quirk to mirror the push step's "--bundles app,updater".
tylergraydev
pushed a commit
that referenced
this pull request
May 4, 2026
User-facing additions: - Model picker now uses Claude Code aliases (opus/sonnet/haiku/opusplan/best) with a 1M context toggle and a free-form "Other (custom model ID)" field for Bedrock ARNs / Vertex / Foundry IDs (#213). - Rules dropped into ~/.claude/rules/ or {project}/.claude/rules/ now show up in the UI via new global/project scanners (#200). Fixes: - Sync Config no longer wipes externally-managed configs (.mcp.json, claude.json, OpenCode/Copilot/Cursor/Gemini/Codex) — extends the #191 guard to all 7 writers and imports .mcp.json on project add (#204). - Skill/command/sub-agent writers emit `tags` as JSON arrays so they round-trip through the DB reader (#202). - PR builds from forks/Dependabot no longer fail on missing TAURI_SIGNING_PRIVATE_KEY (#203). - delete_rule_inner returns real DB errors instead of swallowing them as "row absent" (follow-up to #200). Internal: - Cargo clippy from 134 warnings to 0; CI now enforces -D warnings on --lib --tests (#205). All 1565 frontend tests and 2021 Rust tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Every PR from a fork (Scot Campbell's
prefrontalsys/*) and every Dependabot PR has shown 4/10 red build checks. Root cause is a combination of three things:src-tauri/tauri.conf.jsonhas"createUpdaterArtifacts": trueglobally, so every build tries to sign the updater bundle.build.ymlpassedTAURI_SIGNING_PRIVATE_KEY+..._PASSWORDunconditionally totauri-action. The comment on the old line 119 claimed "Only use signing keys on push to main" but the gate was never implemented.${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}evaluates to""in those contexts.Net effect:
tauri-actiontries to decode""as a minisign secret, minisign rejects it withMissing comment in secret key, and all 4 matrix jobs fail red despite Rust compilation + bundling completing successfully.Evidence:
isCrossRepository: false): builds all green.isCrossRepository: true): builds all red with the signing error.main: green — because secrets are exposed to same-repo push events.Fix
Split
Build Tauri appinto twoif:-gated steps keyed ongithub.event_name:pull_request: no signing env vars;--bundlesexcludes theupdatertarget. Per-platform bundle list (deb,rpm,appimage/nsis,msi/app,dmg) preserves theupload-artifactsif-no-files-found: errorcontract by ensuring a bundle dir is always produced. macOSx86_64-apple-darwinkeeps its existing quirk of emitting onlyapp(dropping theupdaterit used to emit).push: unchanged — same env vars, sameargs, same macOS x86_64app,updaterspecial case.release.ymlis untouched since it only runs on tag push, where secrets are always exposed.Test plan
main(e.g. a version-bump commit after this merges) should still produce signed updater artifacts — verify by checking the build log for "Signing..." lines and the bundle output for.sigfiles.🤖 Generated with Claude Code