From 5e652e5d8543291b11436c66fb202c571269d35f Mon Sep 17 00:00:00 2001
From: per1234 <accounts@perglass.com>
Date: Sat, 16 Nov 2024 05:54:59 -0800
Subject: [PATCH 1/2] Use appropriate indicator for Windows signing
 determination in build workflow

The "build" workflow signs the Windows builds of the application. The signing process relies on access to GitHub Actions
secrets. For this reason, the workflow is configured to only sign the builds when it has access to GitHub Actions
secrets to avoid spurious failures of the workflow that would otherwise be caused by signing failure.

Previously the signing was determined based on the value of the `github.event.pull_request.head.repo.fork` context item.
That was effective for the use case of the workflow being triggered by a pull request from a fork (for security reasons,
GitHub Actions does not give access to secrets under these conditions).

However, there is another context under which the workflow might run without access to the signing secrets, for which
the use of context item is not appropriate. It is important to support the use of the workflow in forks of the
repository. In addition to the possible value to hard forked projects, this is essential to allow conscientious
contributors to test contributions to the build and release system in their own fork prior to submitting a pull request.
The previous configuration would cause a workflow run performed by a contributor in a fork to attempt to sign the
Windows build. Unless the contributor had set up the ridiculously complex infrastructure required to perform the signing
for the Windows build, which is utterly infeasible, this would cause the workflow to fail spuriously.

The appropriate approach, which has been the established convention in the rest of the workflow code, is to use the
secret itself when determining whether to attempt the signing process. If the secret is not defined (resulting in it
having an empty string value), then the signing should be skipped. If it is defined, then the signing should be
performed.
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 02de77393..294284d48 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -290,7 +290,7 @@ jobs:
       SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe"
       WIN_CERT_PASSWORD: ${{ secrets[matrix.config.certificate-password-secret] }}
       WIN_CERT_CONTAINER_NAME: ${{ secrets[matrix.config.certificate-container] }}
-      WIN_SIGNING_ENABLED: ${{ !github.event.pull_request.head.repo.fork }}
+      WIN_SIGNING_ENABLED: ${{ secrets[matrix.config.certificate-password-secret] != '' }}
 
     strategy:
       matrix:

From ec6aef5fab10e3fe5e4f6ea967e408d2d952cbd2 Mon Sep 17 00:00:00 2001
From: per1234 <accounts@perglass.com>
Date: Sat, 16 Nov 2024 05:55:48 -0800
Subject: [PATCH 2/2] Remove redundant signing determination code from build
 system

The "build" workflow signs the macOS and Windows builds of the application. The signing process relies on access to GitHub Actions
secrets. For this reason, the workflow is configured to only sign the builds when it has access to GitHub Actions
secrets to avoid spurious failures of the workflow that would otherwise be caused by signing failure.

A flexible general purpose system for determining whether to attempt signing of a build was established years ago. However, a redundant system was added specific to the Windows build instead of using the existing system.

The redundant system is hereby removed. This makes the workflow easier to understand and maintain.
---
 .github/workflows/build.yml               | 1 -
 electron-app/scripts/windowsCustomSign.js | 5 +----
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 294284d48..b729931ce 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -290,7 +290,6 @@ jobs:
       SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.19041.0/x86/signtool.exe"
       WIN_CERT_PASSWORD: ${{ secrets[matrix.config.certificate-password-secret] }}
       WIN_CERT_CONTAINER_NAME: ${{ secrets[matrix.config.certificate-container] }}
-      WIN_SIGNING_ENABLED: ${{ secrets[matrix.config.certificate-password-secret] != '' }}
 
     strategy:
       matrix:
diff --git a/electron-app/scripts/windowsCustomSign.js b/electron-app/scripts/windowsCustomSign.js
index 41fc6d3b2..5e9585bc2 100644
--- a/electron-app/scripts/windowsCustomSign.js
+++ b/electron-app/scripts/windowsCustomSign.js
@@ -1,10 +1,7 @@
 const childProcess = require('child_process');
 
 exports.default = async function (configuration) {
-  if (
-    !process.env.GITHUB_ACTIONS ||
-    process.env.WIN_SIGNING_ENABLED !== 'true'
-  ) {
+  if (!process.env.GITHUB_ACTIONS || process.env.CAN_SIGN !== 'true') {
     return;
   }