From 1a52655cddeac3d3355ce088d0f05b774a15a5eb Mon Sep 17 00:00:00 2001
From: Zachary Brown <z.brown@chia.net>
Date: Mon, 4 Nov 2024 11:28:20 -0800
Subject: [PATCH] ci: check for secrets to allow dependabot builds

---
 .github/workflows/build.yaml | 37 +++++++++++++++++++++++++++++++-----
 1 file changed, 32 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index ec7a24d7..e867e786 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -88,9 +88,20 @@ jobs:
       - name: Copy sqlite3
         run: cp ${{ matrix.sqlite-path }}node_sqlite3.node ./dist/
 
+      - name: Test for secrets access
+        id: check_secrets
+        shell: bash
+        run: |
+          unset HAS_SIGNING_SECRET
+
+          if [ -n "$SIGNING_SECRET" ]; then HAS_SIGNING_SECRET='true' ; fi
+          echo "HAS_SIGNING_SECRET=${HAS_SIGNING_SECRET}" >> "$GITHUB_OUTPUT"
+        env:
+          SIGNING_SECRET: "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}"
+
       # Windows Code Signing
       - name: Sign windows artifacts
-        if: matrix.runs-on == 'windows-2019'
+        if: matrix.runs-on == 'windows-2019' && steps.check_secrets.outputs.HAS_SIGNING_SECRET
         uses: chia-network/actions/digicert/windows-sign@main
         with:
           sm_api_key: ${{ secrets.SM_API_KEY }}
@@ -101,7 +112,7 @@ jobs:
 
       # Mac .pkg build + sign
       - name: Import Apple installer signing certificate
-        if: matrix.runs-on == 'macos-latest'
+        if: matrix.runs-on == 'macos-latest' && steps.check_secrets.outputs.HAS_SIGNING_SECRET
         uses: Apple-Actions/import-codesign-certs@v1
         with:
           keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }}
@@ -109,7 +120,7 @@ jobs:
           p12-password: ${{ secrets.APPLE_DEV_ID_INSTALLER_PASS }}
 
       - name: Import Apple Application signing certificate
-        if: matrix.runs-on == 'macos-latest'
+        if: matrix.runs-on == 'macos-latest' && steps.check_secrets.outputs.HAS_SIGNING_SECRET
         uses: Apple-Actions/import-codesign-certs@v1
         with:
           create-keychain: false # Created when importing the first cert
@@ -117,20 +128,33 @@ jobs:
           p12-file-base64: ${{ secrets.APPLE_DEV_ID_APP }}
           p12-password: ${{ secrets.APPLE_DEV_ID_APP_PASS }}
 
-      - name: Build Mac .pkg
+      - name: Prep Build of Mac .pkg
         if: matrix.runs-on == 'macos-latest'
         run: |
           rm -rf ${{ github.workspace }}/build-scripts/macos/darwin/application || true
           cp -r ${{ github.workspace }}/dist ${{ github.workspace }}/build-scripts/macos/application
 
+      - name: Sign Mac binaries
+        if: matrix.runs-on == 'macos-latest' && steps.check_secrets.outputs.HAS_SIGNING_SECRET
+        run: |
           echo "Signing the binaries"
           codesign -f -s "Developer ID Application: Chia Network Inc." --timestamp --options=runtime --entitlements ${{ github.workspace }}/build-scripts/macos/entitlements.mac.plist ${{ github.workspace }}/build-scripts/macos/application/core-registry-cadt
           codesign -f -s "Developer ID Application: Chia Network Inc." --timestamp ${{ github.workspace }}/build-scripts/macos/application/node_sqlite3.node
 
+      - name: Build Mac .pkg
+        if: matrix.runs-on == 'macos-latest'
+        run: |
           # Makes the .pkg in ./build-scripts/macos/target/pkg
           echo "Building the .pkg"
           bash ${{ github.workspace }}/build-scripts/macos/build-macos.sh core-registry-cadt
 
+          mkdir -p ${{ github.workspace }}/build-scripts/macos/target/ready-to-upload
+
+          cp ${{ github.workspace }}/build-scripts/macos/target/pkg/core-registry-cadt-macos-installer-x64.pkg ${{ github.workspace }}/build-scripts/macos/target/ready-to-upload/core-registry-cadt-macos-installer-x64.pkg
+
+      - name: Notarize Mac .pkg
+        if: matrix.runs-on == 'macos-latest' && steps.check_secrets.outputs.HAS_SIGNING_SECRET
+        run: |
           mkdir -p ${{ github.workspace }}/build-scripts/macos/target/pkg-signed
 
           echo "Signing the .pkg"
@@ -144,12 +168,15 @@ jobs:
           --team-id "${{ secrets.APPLE_TEAM_ID }}" \
           "${{ github.workspace }}/build-scripts/macos/target/pkg-signed/core-registry-cadt-macos-installer-x64.pkg"
 
+          rm -f ${{ github.workspace }}/build-scripts/macos/target/ready-to-upload/*
+          mv ${{ github.workspace }}/build-scripts/macos/target/pkg-signed/core-registry-cadt-macos-installer-x64.pkg ${{ github.workspace }}/build-scripts/macos/target/ready-to-upload/
+
       - name: Upload Mac Installer
         if: matrix.runs-on == 'macos-latest'
         uses: actions/upload-artifact@v3
         with:
           name: core-registry-cadt-mac-installer
-          path: ${{ github.workspace }}/build-scripts/macos/target/pkg-signed
+          path: ${{ github.workspace }}/build-scripts/macos/target/ready-to-upload
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v3