CI: tolerate missing signing secrets on macOS + Linux jobs

[ldstreet]

Summary

GitHub withholds repo secrets from workflows triggered by fork PRs, so the existing macOS and Linux build jobs fail at signing/cert steps even though the rest of the build would succeed. This PR makes those steps conditional on the relevant secret being present, so the desktop matrix runs cleanly on fork PRs.

On push to master (and PRs from the upstream repo) all secrets are available and the build runs with full signing + notarization + updater minisigning as before.

How

• macOS — `if: secrets.APPLE_CERTIFICATE != ''` on the keychain import + verify steps. When skipped, `CERT_ID` is unset → `APPLE_SIGNING_IDENTITY` is empty → tauri-action builds unsigned `.app/.dmg`. Same fallback for `TAURI_SIGNING_PRIVATE_KEY`: when absent, pass `--config tauri.unsigned.conf.json` so tauri doesn't attempt updater minisigning post-bundle.
• Linux — same `TAURI_SIGNING_PRIVATE_KEY` fallback. When absent, pass the unsigned config override to `cargo tauri build`.

The override file (`frontend/src-tauri/tauri.unsigned.conf.json`) is written at job time, contains only `{"bundle": {"createUpdaterArtifacts": false}}`, and is not committed to the repo.

Out of scope

• iOS / Android in `mobile-build.yml` — the build genuinely can't produce an `.ipa/.apk` without Apple/Google signing.
• Authenticode signing of any Windows `.exe` artifact — separate signing/release epic.

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0a8f4674-f518-4533-941d-d532398c4814

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ldstreet]

Closing — no longer needed. With write access to the upstream repo, branches pushed there receive secrets and CI runs normally. The skip-signing fallback was a fork-PR workaround.