From d139d535609469eb906df5d2a25bb6ab99f30db1 Mon Sep 17 00:00:00 2001
From: Tyler Gray <tylerg@emergentsoftware.net>
Date: Tue, 21 Apr 2026 12:12:48 -0400
Subject: [PATCH 1/2] fix(ci): skip updater signing on PR builds

PRs from forks (prefrontalsys/*) and Dependabot can't read repo secrets,
so ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} evaluates to "" and
tauri-action fails with "Missing comment in secret key" after an
otherwise-successful Rust build. The old comment claimed signing only
ran on pushes to main, but the gate was never implemented.

Split the Build Tauri app step by github.event_name:
- pull_request: no signing env vars, --bundles omits the updater target
  (per-platform bundle list preserves the existing upload-artifacts
  if-no-files-found: error contract).
- push: unchanged behavior -- signed artifacts with the macOS x86_64
  app+updater special case intact.

Release workflow untouched since it only runs on tag push.
---
 .github/workflows/build.yml | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5a3b8b27..cb5f80ec 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -112,11 +112,25 @@ jobs:
       - name: Install frontend dependencies
         run: npm ci
 
-      - name: Build Tauri app
+      # Skip updater bundle on PRs: fork/Dependabot PRs can't read secrets, so passing the key would decode to "" and tauri-action would fail.
+      - name: Build Tauri app (PR — skip updater signing)
+        if: github.event_name == 'pull_request'
+        uses: tauri-apps/tauri-action@v0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          args: >-
+            --target ${{ matrix.target }}
+            ${{ (matrix.platform == 'ubuntu-22.04' && '--bundles deb,rpm,appimage')
+             || (matrix.platform == 'windows-latest' && '--bundles nsis,msi')
+             || (matrix.target == 'x86_64-apple-darwin' && '--bundles app')
+             || '--bundles app,dmg' }}
+
+      - name: Build Tauri app (push to main — signed)
+        if: github.event_name == 'push'
         uses: tauri-apps/tauri-action@v0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # Only use signing keys on push to main (PRs don't need signed artifacts)
           TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
           TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
         with:

From 37cc321b49918091f81c9fa8564bf225623856d3 Mon Sep 17 00:00:00 2001
From: Tyler Gray <tylerg@emergentsoftware.net>
Date: Tue, 21 Apr 2026 12:52:00 -0400
Subject: [PATCH 2/2] fix(ci): override createUpdaterArtifacts=false on PR
 builds

Previous attempt gated the signing env vars behind github.event_name,
but tauri build still fails with "A public key has been found, but no
private key" because pubkey in tauri.conf.json triggers the signing
check independent of --bundles. Override bundle.createUpdaterArtifacts
to false via inline --config JSON for PR builds.

Also simplified the per-platform --bundles list -- unnecessary now that
createUpdaterArtifacts is off. Kept the macOS x86_64 "--bundles app"
quirk to mirror the push step's "--bundles app,updater".
---
 .github/workflows/build.yml | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index cb5f80ec..9acb3613 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -112,8 +112,8 @@ jobs:
       - name: Install frontend dependencies
         run: npm ci
 
-      # Skip updater bundle on PRs: fork/Dependabot PRs can't read secrets, so passing the key would decode to "" and tauri-action would fail.
-      - name: Build Tauri app (PR — skip updater signing)
+      # Disable updater artifacts on PR builds: fork/Dependabot PRs can't read secrets, and tauri refuses to build when pubkey is set in config but no private key is available.
+      - name: Build Tauri app (PR — updater disabled)
         if: github.event_name == 'pull_request'
         uses: tauri-apps/tauri-action@v0
         env:
@@ -121,10 +121,8 @@ jobs:
         with:
           args: >-
             --target ${{ matrix.target }}
-            ${{ (matrix.platform == 'ubuntu-22.04' && '--bundles deb,rpm,appimage')
-             || (matrix.platform == 'windows-latest' && '--bundles nsis,msi')
-             || (matrix.target == 'x86_64-apple-darwin' && '--bundles app')
-             || '--bundles app,dmg' }}
+            --config {"bundle":{"createUpdaterArtifacts":false}}
+            ${{ matrix.target == 'x86_64-apple-darwin' && '--bundles app' || '' }}
 
       - name: Build Tauri app (push to main — signed)
         if: github.event_name == 'push'