ci(1password): integrate 1Password secrets in release workflows #296
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Build with Tauri (signed) | ||
| working-directory: ${{env.working-directory}} | ||
| env: | ||
| # Provided by 1Password load-secrets action | ||
| TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }} | ||
| run: | | ||
| yarn run tauri build |
There was a problem hiding this comment.
The build step overrides the TAURI_PRIVATE_KEY environment variable with env: TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }}. Secrets loaded by 1password/load-secrets-action@v2 are written to $GITHUB_ENV, so they are available to subsequent steps only as runtime environment variables, not via the ${{ env.* }} context. When this expression is evaluated it expands to an empty string, wiping the secret that the previous step exported. As a result the Tauri build runs without the signing key and produces unsigned artifacts (or fails if signing is required). Removing the explicit env: override or referencing the action’s outputs avoids clearing the secret.
Useful? React with 👍 / 👎.
| - name: Build Tauri app (signed) | ||
| working-directory: ./desktop | ||
| env: | ||
| TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }} | ||
| run: yarn tauri build | ||
| env: |
There was a problem hiding this comment.
The “Build Tauri app (signed)” step explicitly sets TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }}. Because the key was introduced by load-secrets-action@v2 using $GITHUB_ENV, the ${{ env.* }} context does not contain it and the expression evaluates to an empty string. This overrides the real secret and the subsequent yarn tauri build runs without TAURI_PRIVATE_KEY, preventing the desktop artifacts from being signed. Avoid overriding the variable or reference the action outputs directly so the signing key remains available.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Claude finished @AlexMikhalev's task —— View job
Fixing TAURI_PRIVATE_KEY secret handling
I've analyzed the issue and identified the problem in all three workflow files. Unfortunately, I cannot directly modify files in .github/workflows/ due to GitHub App permissions restrictions.
Todo List:
- Read and analyze affected workflow files
- Identify all locations where TAURI_PRIVATE_KEY is being overridden
- Document the fix for release-comprehensive.yml
- Document the fix for tauri-build.yml
- Document the fix for publish-tauri.yml
The Problem
The 1password/load-secrets-action@v2 exports secrets to $GITHUB_ENV, making them available as runtime environment variables in subsequent steps. However, when you explicitly set env: TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }}, the ${{ env.* }} context doesn't contain the secret (it's not available in the GitHub Actions context), so this expression evaluates to an empty string and overrides the real secret.
The Fix
Remove the explicit env: override in the build steps. The environment variable is already available from the load-secrets-action step.
File 1: .github/workflows/release-comprehensive.yml
Line 221-226 - Remove the explicit TAURI_PRIVATE_KEY override:
# BEFORE (lines 221-226):
- name: Build Tauri app (signed)
working-directory: ./desktop
env:
TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }} # ❌ This clears the secret!
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: yarn tauri build
# AFTER:
- name: Build Tauri app (signed)
working-directory: ./desktop
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# TAURI_PRIVATE_KEY is already available from load-secrets-action
run: yarn tauri buildFile 2: .github/workflows/tauri-build.yml
Line 122-127 - Remove the explicit TAURI_PRIVATE_KEY override:
# BEFORE (lines 122-127):
- name: Build Tauri app (signed)
working-directory: ${{ env.WORKING_DIRECTORY }}
env:
TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }} # ❌ This clears the secret!
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: yarn tauri build
# AFTER:
- name: Build Tauri app (signed)
working-directory: ${{ env.WORKING_DIRECTORY }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# TAURI_PRIVATE_KEY is already available from load-secrets-action
run: yarn tauri buildFile 3: .github/workflows/publish-tauri.yml
Line 95-101 - Remove the explicit TAURI_PRIVATE_KEY override:
# BEFORE (lines 95-101):
- name: Build with Tauri (signed)
working-directory: ${{env.working-directory}}
env:
# Provided by 1Password load-secrets action
TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }} # ❌ This clears the secret!
run: |
yarn run tauri build
# AFTER:
- name: Build with Tauri (signed)
working-directory: ${{env.working-directory}}
env:
# TAURI_PRIVATE_KEY is already available from load-secrets-action
run: |
yarn run tauri buildWhy This Works
When 1password/load-secrets-action@v2 runs with export-env: true, it writes the secrets to $GITHUB_ENV, which makes them available as environment variables in all subsequent steps. You don't need to (and shouldn't) explicitly pass them via the env: block using the ${{ env.* }} context, because that context doesn't have access to variables written to $GITHUB_ENV.
Manual Steps Required
Since I cannot modify workflow files, please apply these changes manually:
- Edit
.github/workflows/release-comprehensive.ymland remove line 224 - Edit
.github/workflows/tauri-build.ymland remove line 125 - Edit
.github/workflows/publish-tauri.ymland remove line 99 - Commit and push the changes
Alternatively, you can grant me permissions to modify workflow files by updating my allowed tools configuration, though this may have security implications for your CI/CD pipeline.
.github/workflows/tauri-build.yml
Outdated
| - name: Build Tauri app (signed) | ||
| working-directory: ${{ env.WORKING_DIRECTORY }} | ||
| env: | ||
| TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }} | ||
| run: yarn tauri build |
There was a problem hiding this comment.
After loading secrets with 1password/load-secrets-action@v2, the build step sets TAURI_PRIVATE_KEY from ${{ env.TAURI_PRIVATE_KEY }}. Environment variables written via $GITHUB_ENV are not reflected in the env context, so this expression expands to an empty value and overwrites the secret previously exported by the action. The yarn tauri build command therefore executes without TAURI_PRIVATE_KEY, producing unsigned binaries. Let the variable flow through from the secret-loading step or wire it via the action outputs rather than reassigning it here.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Claude finished @AlexMikhalev's task —— View job
Analysis Complete
Todo:
- Read affected workflow files
- Analyze the issue
- Provide fix instructions
Issue Summary
The problem is that the 1password/load-secrets-action@v2 writes secrets to $GITHUB_ENV, making them available to subsequent steps as environment variables. However, explicitly setting TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }} in the build steps evaluates the ${{ env.* }} context (which doesn't contain the secret yet) and overwrites the environment variable with an empty string.
Files That Need Changes
Unfortunately, I cannot modify workflow files in .github/workflows/ due to GitHub App permissions restrictions. You'll need to make these changes manually.
Required Changes
1. .github/workflows/tauri-build.yml (Line 122-127)
Current code:
- name: Build Tauri app (signed)
working-directory: ${{ env.WORKING_DIRECTORY }}
env:
TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: yarn tauri buildFixed code:
- name: Build Tauri app (signed)
working-directory: ${{ env.WORKING_DIRECTORY }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# TAURI_PRIVATE_KEY is already in the environment from load-secrets-action
run: yarn tauri build2. .github/workflows/release-comprehensive.yml (Line 221-226)
Current code:
- name: Build Tauri app (signed)
working-directory: ./desktop
env:
TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: yarn tauri buildFixed code:
- name: Build Tauri app (signed)
working-directory: ./desktop
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# TAURI_PRIVATE_KEY is already in the environment from load-secrets-action
run: yarn tauri build3. .github/workflows/publish-tauri.yml (Line 95-101)
Current code:
- name: Build with Tauri (signed)
working-directory: ${{env.working-directory}}
env:
# Provided by 1Password load-secrets action
TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }}
run: |
yarn run tauri buildFixed code:
- name: Build with Tauri (signed)
working-directory: ${{env.working-directory}}
env:
# TAURI_PRIVATE_KEY is already in the environment from load-secrets-action
run: |
yarn run tauri buildExplanation
The 1password/load-secrets-action@v2 with export-env: true writes secrets directly to $GITHUB_ENV, which makes them available as environment variables in all subsequent steps automatically. By removing the explicit TAURI_PRIVATE_KEY: ${{ env.TAURI_PRIVATE_KEY }} override, the signing key will flow through correctly from the secrets-loading step.
Alternative Solution (Not Recommended)
If you prefer to keep the explicit env declaration, you could use action outputs instead, but this requires more changes and is unnecessary since the environment variable is already available.
Next Steps
Please make these three changes manually and commit them to this PR. The Tauri builds should then have access to the signing key and produce properly signed artifacts.
AlexMikhalev
force-pushed
the
chore/ci-1password-secrets
branch
2 times, most recently
from
7b95202 to
792fe2b
Compare
AlexMikhalev
force-pushed
the
chore/ci-1password-secrets
branch
from
792fe2b to
5682e10
Compare
Notes:
This PR focuses on release pipeline reliability and secret hygiene.