From cb444082770a61b4f0e48706ddd936bcbab963cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=99=A8=E8=8B=92?=
 <16112591+chen-ran@users.noreply.github.com>
Date: Tue, 14 Apr 2026 06:51:06 +0800
Subject: [PATCH] fix(ci): avoid direct secrets access in tauri workflows

---
 .github/workflows/tauri-ci.yml      | 8 ++++----
 .github/workflows/tauri-release.yml | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/tauri-ci.yml b/.github/workflows/tauri-ci.yml
index 18951e20..a6b87d35 100644
--- a/.github/workflows/tauri-ci.yml
+++ b/.github/workflows/tauri-ci.yml
@@ -44,6 +44,9 @@ jobs:
 
     runs-on: ${{ matrix.platform }}
     timeout-minutes: 60
+    env:
+      APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+      APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
 
     steps:
       - uses: actions/checkout@v4
@@ -82,10 +85,7 @@ jobs:
 
       # macOS code signing with certificate secrets.
       - name: Prepare macOS code signing
-        if: ${{ matrix.platform == 'macos-latest' && secrets.APPLE_CERTIFICATE != '' && secrets.APPLE_CERTIFICATE_PASSWORD != '' }}
-        env:
-          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
-          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+        if: ${{ matrix.platform == 'macos-latest' && env.APPLE_CERTIFICATE != '' && env.APPLE_CERTIFICATE_PASSWORD != '' }}
         run: |
           set -euo pipefail
           KEYCHAIN_PASSWORD="github-actions-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT:-1}"
diff --git a/.github/workflows/tauri-release.yml b/.github/workflows/tauri-release.yml
index cf1c1eeb..235bbd97 100644
--- a/.github/workflows/tauri-release.yml
+++ b/.github/workflows/tauri-release.yml
@@ -31,6 +31,9 @@ jobs:
 
     runs-on: ${{ matrix.platform }}
     timeout-minutes: 60
+    env:
+      APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+      APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
 
     steps:
       - uses: actions/checkout@v4
@@ -102,10 +105,7 @@ jobs:
 
       # macOS code signing with certificate secrets.
       - name: Prepare macOS code signing
-        if: ${{ matrix.platform == 'macos-latest' && secrets.APPLE_CERTIFICATE != '' && secrets.APPLE_CERTIFICATE_PASSWORD != '' }}
-        env:
-          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
-          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+        if: ${{ matrix.platform == 'macos-latest' && env.APPLE_CERTIFICATE != '' && env.APPLE_CERTIFICATE_PASSWORD != '' }}
         run: |
           set -euo pipefail
           KEYCHAIN_PASSWORD="github-actions-${GITHUB_RUN_ID}-${GITHUB_RUN_ATTEMPT:-1}"