fix(ci): keep macos/ios build lanes running when Apple signing secrets are missing

The release preflight used to set should_build_platform=false whenever any Apple signing secret was unset, which silently skipped the entire macos dmg and ios ipa lanes (build + upload gated on that flag). Result: releases only shipped linux, windows and android artifacts even when the iOS/macOS lanes were otherwise healthy. Make the preflight always release the lane, but emit a :⚠️: and annotate the skip_reason when a secret is missing. The iOS branch in build_matrix_artifacts.sh now picks the signed vs unsigned build path based on actual secret availability instead of should_release alone, so it falls back to flutter build ios --no-codesign + zip Runner.app whenever a secret is absent. package-flutter-mac-app.sh already handled the no-secret case locally (ad-hoc codesign --sign -) and needs no change. Behavior matrix: macos: secret present -> signed DMG; secret missing -> unsigned DMG ios: secret present + release -> signed IPA secret present + non-release -> unsigned zip secret missing (any) -> unsigned zip
2026-06-05 18:39:25 +08:00 · 2026-06-05 18:39:25 +08:00 · c98bce9dde
commit c98bce9dde
parent 6d5122682c
2 changed files with 40 additions and 11 deletions
--- a/scripts/ci/build_matrix_artifacts.sh
+++ b/scripts/ci/build_matrix_artifacts.sh
@ -26,10 +26,30 @@ case "$platform" in
    pwsh -File ./scripts/package-windows-msi.ps1 -Arch "$arch"
    ;;
  ios)
-    if [[ "$should_release" == "true" ]]; then
-      bash ./scripts/package-ios-ipa.sh
+    ios_signing_secrets=(
+      APPLE_CERT_P12_BASE64
+      APPLE_CERT_PASSWORD
+      APPLE_PROVISION_PROFILE_BASE64
+      APPLE_KEYCHAIN_PASSWORD
+    )
+    ios_missing=()
+    for var_name in "${ios_signing_secrets[@]}"; do
+      if [[ -z "${!var_name:-}" ]]; then
+        ios_missing+=("$var_name")
+      fi
+    done
+
+    if [[ "${#ios_missing[@]}" -gt 0 ]]; then
+      echo "Apple signing secrets unavailable (missing: ${ios_missing[*]}); building unsigned iOS app bundle."
+      build_unsigned_ios_bundle=1
+    elif [[ "$should_release" == "true" ]]; then
+      build_unsigned_ios_bundle=0
    else
-      echo "Release secrets not required for non-release runs; building unsigned iOS app bundle."
+      echo "Release not requested; building unsigned iOS app bundle."
+      build_unsigned_ios_bundle=1
+    fi
+
+    if [[ "$build_unsigned_ios_bundle" -eq 1 ]]; then
      flutter build ios --release --no-codesign \
        --build-name="$PLATFORM_RELEASE_VERSION" \
        --build-number="$BUILD_NUMBER" \
@ -42,6 +62,8 @@ case "$platform" in
        zip -qry XWorkmate.app.zip Runner.app
        mv XWorkmate.app.zip ../../../dist/ios/
      )
+    else
+      bash ./scripts/package-ios-ipa.sh
    fi
    ;;
  android)
--- a/scripts/ci/platform_preflight.sh
+++ b/scripts/ci/platform_preflight.sh
@ -24,12 +24,22 @@ set_build_state() {
  emit_output "skip_reason" "$reason"

  if [[ "$should_build" == "true" ]]; then
-    echo "Preflight passed for $platform."
+    if [[ -n "$reason" ]]; then
+      echo "Preflight passed for $platform with warning: $reason"
+    else
+      echo "Preflight passed for $platform."
+    fi
  else
    echo "Skipping $platform lane: $reason"
  fi
 }

+warn_unsigned_build() {
+  local missing="$1"
+  echo "::warning::$platform build will run without Apple signing secrets (missing: $missing)." \
+    "Output artifacts will be unsigned/ad-hoc. Configure the Apple signing secrets to enable signed packaging."
+}
+
 case "$platform" in
  linux)
    set_build_state "true" ""
@ -52,18 +62,14 @@ case "$platform" in
    done

    if [[ "${#missing[@]}" -gt 0 ]]; then
-      set_build_state "false" "missing macOS signing secrets: ${missing[*]}"
+      warn_unsigned_build "${missing[*]}"
+      set_build_state "true" "missing macOS signing secrets: ${missing[*]}; will produce unsigned DMG"
      exit 0
    fi

    set_build_state "true" ""
    ;;
  ios)
-    if [[ "$should_release" != "true" ]]; then
-      set_build_state "true" ""
-      exit 0
-    fi
-
    required_vars=(
      APPLE_CERT_P12_BASE64
      APPLE_CERT_PASSWORD
@ -79,7 +85,8 @@ case "$platform" in
    done

    if [[ "${#missing[@]}" -gt 0 ]]; then
-      set_build_state "false" "missing iOS signing secrets: ${missing[*]}"
+      warn_unsigned_build "${missing[*]}"
+      set_build_state "true" "missing iOS signing secrets: ${missing[*]}; will produce unsigned app bundle"
      exit 0
    fi