From 793338cd18e171070b0b15f7fb2fc99d29828b63 Mon Sep 17 00:00:00 2001
From: Matthias Gliwka <matthias@gliwka.eu>
Date: Fri, 24 Nov 2023 16:33:51 +0200
Subject: [PATCH] use signing keys only on tagged releases

---
 .github/workflows/build.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e804ca3..8e2b26e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -27,11 +27,11 @@ jobs:
       matrix:
         include:
           - os: macos
-            runner: macos-12 #x86_64
+            runner: macos-12
             shell: bash
             platform: macosx-x86_64
           - os: macos
-            runner: macos-12-large #arm64
+            runner: macos-12-large
             shell: bash
             platform: macosx-arm64
           - os: linux
@@ -43,8 +43,6 @@ jobs:
             shell: bash
             platform: linux-arm64
     env:
-      SIGN_KEY: ${{ secrets.SIGN_KEY }}
-      SIGN_KEY_PASS: ${{ secrets.SIGN_KEY_PASS }}
       STAGING_REPO: ${{ needs.create-staging-repo.outputs.staging-repo }}
       DETECTED_PLATFORM: ${{ matrix.platform }}
       STAGING: ${{ startsWith(github.ref, 'refs/tags/v') }}
@@ -55,6 +53,11 @@ jobs:
         if: matrix.os == 'macos'
         with:
           xcode-version: latest-stable
+      - name: Set signing keys
+        if: startsWith(github.ref, 'refs/tags/v') == true
+        run: |
+          echo "SIGN_KEY=${{ secrets.SIGN_KEY }}" >> "$GITHUB_ENV"
+          echo "SIGN_KEY_PASS=${{ secrets.SIGN_KEY_PASS }}" >> "$GITHUB_ENV"
       - name: Build native binaries
         run: ./build.sh deploy
         if: matrix.os != 'linux'