Allow desktop releases to publish without platform signing infrastructure

The current release lane is aimed at manual downloads and command-line usage, not notarized distribution or in-app auto-updates. This change removes Apple certificate import and updater signing from GitHub Actions, and forces release builds to disable updater artifacts so unsigned release bundles can still be produced consistently.

Constraint: Repository does not have working Apple signing certs or updater signing keys
Rejected: Keep signing requirements and document the secrets problem | blocks every release on infra the project does not plan to maintain
Rejected: Remove the GitHub release workflow entirely | still need a repeatable packaging path for downloadable artifacts
Confidence: high
Scope-risk: moderate
Reversibility: clean
Directive: If signed distribution or in-app updates are added later, restore signing in workflow together with validated secrets and release metadata
Tested: git diff --check; YAML parse of release-desktop workflow; manual inspection that updater artifacts are disabled via tauri.release-ci.json and signing env/steps are removed
Not-tested: Live GitHub Actions run after workflow update
This commit is contained in:
程序员阿江(Relakkes) 2026-04-18 21:38:13 +08:00
parent 494406f128
commit f958bf7e0d
2 changed files with 7 additions and 33 deletions

View File

@ -18,10 +18,6 @@ concurrency:
group: release-desktop-${{ github.ref }}
cancel-in-progress: true
env:
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
jobs:
build:
strategy:
@ -126,33 +122,11 @@ jobs:
TAURI_ENV_TARGET_TRIPLE: ${{ matrix.rust_target }}
run: bun run build:sidecars
# ── macOS code signing (optional) ────────────────────────
- name: Import macOS signing certificate
if: contains(matrix.platform, 'macos') && env.APPLE_CERTIFICATE != ''
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
run: |
echo "$APPLE_CERTIFICATE" | base64 --decode > certificate.p12
security create-keychain -p actions build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p actions build.keychain
security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k actions build.keychain
rm certificate.p12
# ── Build Tauri app ──────────────────────────────────────
- name: Build Tauri app
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# macOS signing (leave empty to skip)
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
with:
projectPath: desktop
tauriScript: bunx tauri
@ -172,7 +146,7 @@ jobs:
### First-time installation
**macOS**: If you see "app is damaged" or "unidentified developer", run:
**macOS**: This build is unsigned. If you see "app is damaged" or "unidentified developer", run:
```bash
xattr -cr /Applications/Claude\ Code\ Haha.app
```
@ -183,9 +157,4 @@ jobs:
See [Installation Guide](https://github.com/NanmiCoder/cc-haha/blob/main/docs/desktop/04-installation.md) for details.
releaseDraft: ${{ github.event_name == 'workflow_dispatch' && inputs.draft || false }}
prerelease: false
args: ${{ matrix.tauri_args }}
# ── Cleanup macOS keychain ───────────────────────────────
- name: Cleanup macOS keychain
if: contains(matrix.platform, 'macos') && always()
run: security delete-keychain build.keychain 2>/dev/null || true
args: ${{ matrix.tauri_args }} --config src-tauri/tauri.release-ci.json

View File

@ -0,0 +1,5 @@
{
"bundle": {
"createUpdaterArtifacts": false
}
}