admin/cc-switch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(ci): simplify Tauri signing key handling to use file path only

Browse Source 
- Remove redundant environment variables for key content export
- Focus on providing proper key file path to Tauri CLI to avoid decoding ambiguity
- Maintain support for all three key formats (two-line, base64-wrapped, single base64)
- Improve reliability by standardizing on file-based key passing approach
This commit is contained in:
Jason
2025-09-09 21:50:37 +08:00
parent 29057c1fe0
commit a95f974787
1 changed files with 11 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
.github/workflows/release.yml vendored
View File

@@ -94,40 +94,24 @@ jobs:
fi fi
RAW="${{ secrets.TAURI_PRIVATE_KEY }}" RAW="${{ secrets.TAURI_PRIVATE_KEY }}"
# 目标:向构建环境导出一行的 Base64 秘钥(即 minisign 私钥文件的第二行) # 目标:提供正确的私钥文件路径”给 Tauri CLI避免内容解码歧义
KEY_PATH="$RUNNER_TEMP/tauri_signing.key"
# 情况 1原始两行文本第一行以 "untrusted comment:" 开头) # 情况 1原始两行文本第一行以 "untrusted comment:" 开头)
if echo "$RAW" | head -n1 | grep -q '^untrusted comment:'; then if echo "$RAW" | head -n1 | grep -q '^untrusted comment:'; then
SECOND=$(printf '%s' "$RAW" | tail -n +2 | head -n 1 | tr -d '\r\n') printf '%s\n' "$RAW" > "$KEY_PATH"
echo "TAURI_SIGNING_PRIVATE_KEY=$SECOND" >> $GITHUB_ENV echo "✅ 使用原始两行密钥文件格式"
echo "TAURI_PRIVATE_KEY=$SECOND" >> $GITHUB_ENV
KEY_PATH="$RUNNER_TEMP/tauri_signing.key"
printf '%s\n%s\n' "untrusted comment: tauri signing key" "$SECOND" > "$KEY_PATH"
echo "TAURI_SIGNING_PRIVATE_KEY_PATH=$KEY_PATH" >> $GITHUB_ENV
echo "TAURI_PRIVATE_KEY_PATH=$KEY_PATH" >> $GITHUB_ENV
echo "✅ 使用原始两行密钥,已提取第二行"
else else
# 情况 2整体被 base64 包裹(解包后应当是两行) # 情况 2整体被 base64 包裹(解包后应当是两行)
if DECODED=$(printf '%s' "$RAW" | (base64 --decode 2>/dev/null || base64 -D 2>/dev/null)) \ if DECODED=$(printf '%s' "$RAW" | (base64 --decode 2>/dev/null || base64 -D 2>/dev/null)) \
&& echo "$DECODED" | head -n1 | grep -q '^untrusted comment:'; then && echo "$DECODED" | head -n1 | grep -q '^untrusted comment:'; then
SECOND=$(printf '%s' "$DECODED" | tail -n +2 | head -n 1 | tr -d '\r\n') printf '%s\n' "$DECODED" > "$KEY_PATH"
echo "TAURI_SIGNING_PRIVATE_KEY=$SECOND" >> $GITHUB_ENV echo "✅ 成功解码 base64 包裹密钥,已还原为两行文件"
echo "TAURI_PRIVATE_KEY=$SECOND" >> $GITHUB_ENV
KEY_PATH="$RUNNER_TEMP/tauri_signing.key"
printf '%s\n%s\n' "untrusted comment: tauri signing key" "$SECOND" > "$KEY_PATH"
echo "TAURI_SIGNING_PRIVATE_KEY_PATH=$KEY_PATH" >> $GITHUB_ENV
echo "TAURI_PRIVATE_KEY_PATH=$KEY_PATH" >> $GITHUB_ENV
echo "✅ 成功解码 base64 包裹密钥,已提取第二行"
else else
# 情况 3已是第二行纯 Base64 一行) # 情况 3已是第二行纯 Base64 一行)→ 构造两行文件
if echo "$RAW" | grep -Eq '^[A-Za-z0-9+/=]+$'; then if echo "$RAW" | grep -Eq '^[A-Za-z0-9+/=]+$'; then
ONE=$(printf '%s' "$RAW" | tr -d '\r\n') ONE=$(printf '%s' "$RAW" | tr -d '\r\n')
echo "TAURI_SIGNING_PRIVATE_KEY=$ONE" >> $GITHUB_ENV
echo "TAURI_PRIVATE_KEY=$ONE" >> $GITHUB_ENV
KEY_PATH="$RUNNER_TEMP/tauri_signing.key"
printf '%s\n%s\n' "untrusted comment: tauri signing key" "$ONE" > "$KEY_PATH" printf '%s\n%s\n' "untrusted comment: tauri signing key" "$ONE" > "$KEY_PATH"
echo "TAURI_SIGNING_PRIVATE_KEY_PATH=$KEY_PATH" >> $GITHUB_ENV echo "✅ 使用一行 Base64 私钥,已构造两行文件"
echo "TAURI_PRIVATE_KEY_PATH=$KEY_PATH" >> $GITHUB_ENV
echo "✅ 使用一行 Base64 私钥"
else else
echo "❌ TAURI_PRIVATE_KEY 格式无法识别:既不是两行原文,也不是其 base64亦非一行 base64" >&2 echo "❌ TAURI_PRIVATE_KEY 格式无法识别:既不是两行原文,也不是其 base64亦非一行 base64" >&2
echo "密钥前10个字符: $(echo "$RAW" | head -c 10)..." >&2 echo "密钥前10个字符: $(echo "$RAW" | head -c 10)..." >&2
@@ -135,6 +119,9 @@ jobs:
fi fi
fi fi
fi fi
# 仅导出“路径”供 CLI 使用,避免误读为内容
echo "TAURI_PRIVATE_KEY_PATH=$KEY_PATH" >> $GITHUB_ENV
echo "TAURI_SIGNING_PRIVATE_KEY_PATH=$KEY_PATH" >> $GITHUB_ENV
echo "✅ Tauri signing key prepared" echo "✅ Tauri signing key prepared"
- name: Build Tauri App (macOS) - name: Build Tauri App (macOS)