Add support for unsigned PR builds in GHA

Author: pimterry

.github/workflows/ci.yml

@@ -1,5 +1,7 @@
 name: CI
-on: push
+on:
+  - push
+  - pull_request
 jobs:
   build:
     name: Build & test
@@ -43,13 +45,18 @@ jobs:
       - run: npm ci
 
       # The API key in APPLE_API_KEY is a PEM cert that must be read from disk:
-      - run: echo "$APPLE_API_KEY" > ./apple-api-key.p8
-        if: startsWith(matrix.os, 'macos-')
+      - name: Prepare Apple API key
+        run: echo "$APPLE_API_KEY" > ./apple-api-key.p8
+        if: github.event_name == 'push' && startsWith(matrix.os, 'macos-')
         env:
           APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
 
-      - run: npm run build
+      # On push we do signed builds, on PRs we do unsigned builds only (next step)
+      - name: Run signed build
+        if: github.event_name == 'push'
+        run: npm run build
         env:
+          ENABLE_SIGNING: true
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # For Mac notarization:
           APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
@@ -64,6 +71,14 @@ jobs:
           # Workaround - see FPM install step above
           USE_SYSTEM_FPM: ${{ matrix.platform == 'linux' && matrix.arch == 'arm64' }}
 
+      - name: Run unsigned build
+        if: github.event_name != 'push'
+        run: npm run build
+        env:
+          ENABLE_SIGNING: false
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          USE_SYSTEM_FPM: ${{ matrix.platform == 'linux' && matrix.arch == 'arm64' }}
+
       - uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.platform }}-${{ matrix.arch }}-distributables

electron-builder.config.js

@@ -0,0 +1,35 @@
+// This config just re-exposes the config from package.json, but
+// disables code signing & notarization for PR builds where it won't work.
+
+const packageJson = require('./package.json');
+
+const unsignedMode = process.env.ENABLE_SIGNING !== 'true';
+
+const config = packageJson.build;
+
+if (unsignedMode) {
+  console.log('\nBuilding in UNSIGNED mode\n');
+
+  // Make it abundantly clear in the output that the builds aren't signed, so
+  // we don't accidentally distribute them. Different app & file names throughout.
+  config.productName = packageJson.name + ' - dev build';
+  config.extraMetadata.name += '-dev';
+  config.extraMetadata.productName += '-dev';
+
+  config.artifactName = config.artifactName.replace('${ext}', 'dev.${ext}');
+  for (let field in config) {
+    if (config[field]?.artifactName) {
+      config[field].artifactName =
+        config[field].artifactName.replace('${ext}', 'dev.${ext}');
+    }
+  }
+
+  config.mac.forceCodeSigning = false;
+  config.mac.notarize = false;
+  config.win.forceCodeSigning = false;
+  process.env.CSC_IDENTITY_AUTO_DISCOVERY = 'false';
+} else {
+  console.log('\nBuilding in SIGNED mode\n');
+}
+
+module.exports = config;

package.json

@@ -12,7 +12,7 @@
     "build": "npm run build:src && npm run build:electron",
     "build:src": "tsc",
     "postbuild:src": "tsx ./strip-preload-map.ts",
-    "build:electron": "npm run server:setup && electron-builder build",
+    "build:electron": "npm run server:setup && electron-builder build --config electron-builder.config.js",
     "build:dir-only": "npm run server:setup && electron-builder --dir",
     "start": "npm run server:setup && npm run start:app",
     "start:dev": "tsx ./skip-server.ts && cross-env HTK_DEV=true APP_URL='http://localhost:8080' npm run start:app",
@@ -77,7 +77,7 @@
     },
     "nsis": {
       "installerIcon": "./src/icons/icon.ico",
-      "artifactName": "HttpToolkit-${version}.exe",
+      "artifactName": "HttpToolkit-${version}.${ext}",
       "deleteAppDataOnUninstall": true,
       "oneClick": false,
       "allowToChangeInstallationDirectory": true,