fix(ci): gate Windows signing to GitHub Actions

Keep local desktop dev and packaging flows from invoking Azure Artifact Signing while preserving the GitHub Actions signing path for Tauri and Electron release builds.

packages/desktop-electron/electron-builder.config.ts

@@ -11,6 +11,7 @@ const signScript = path.join(rootDir, "script", "sign-windows.ps1")
 
 async function signWindows(configuration: { path: string }) {
   if (process.platform !== "win32") return
+  if (process.env.GITHUB_ACTIONS !== "true") return
 
   await execFileAsync(
     "pwsh",

packages/desktop-electron/scripts/utils.ts

@@ -63,7 +63,7 @@ export async function copyBinaryToSidecarFolder(source: string) {
   await $`mkdir -p ${dir}`
   const dest = windowsify(`${dir}/opencode-cli`)
   await $`cp ${source} ${dest}`
-  if (process.platform === "win32") {
+  if (process.platform === "win32" && Bun.env.GITHUB_ACTIONS === "true") {
     await $`pwsh -NoLogo -NoProfile -ExecutionPolicy Bypass -File ../../script/sign-windows.ps1 ${dest}`
   }
   if (process.platform === "darwin") await $`codesign --force --sign - ${dest}`

packages/desktop/scripts/utils.ts

@@ -48,7 +48,7 @@ export async function copyBinaryToSidecarFolder(source: string, target = RUST_TA
   await $`mkdir -p src-tauri/sidecars`
   const dest = windowsify(`src-tauri/sidecars/opencode-cli-${target}`)
   await $`cp ${source} ${dest}`
-  if (process.platform === "win32") {
+  if (process.platform === "win32" && Bun.env.GITHUB_ACTIONS === "true") {
     await $`pwsh -NoLogo -NoProfile -ExecutionPolicy Bypass -File ../../script/sign-windows.ps1 ${dest}`
   }
 

script/sign-windows.ps1

@@ -9,6 +9,11 @@ if (-not $Path -or $Path.Count -eq 0) {
   throw "At least one path is required"
 }
 
+if ($env:GITHUB_ACTIONS -ne "true") {
+  Write-Host "Skipping Windows signing because this is not running on GitHub Actions"
+  exit 0
+}
+
 $vars = @{
   endpoint = $env:AZURE_TRUSTED_SIGNING_ENDPOINT
   account = $env:AZURE_TRUSTED_SIGNING_ACCOUNT_NAME