From 55791a0503ed1ea2d926a98c091eb57100f1727b Mon Sep 17 00:00:00 2001
From: Esdras Renan <monkeyesdras@gmail.com>
Date: Fri, 10 Oct 2025 21:26:09 -0300
Subject: [PATCH] ci: fix expressions using secrets.* in if by moving to
 env-based guard; add Windows-safe key injection

---
 .github/workflows/ci-cd-web-desktop.yml | 10 ++++++----
 .github/workflows/desktop-release.yml   | 15 +++++++++++----
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci-cd-web-desktop.yml b/.github/workflows/ci-cd-web-desktop.yml
index 9e4bbb4..2703513 100644
--- a/.github/workflows/ci-cd-web-desktop.yml
+++ b/.github/workflows/ci-cd-web-desktop.yml
@@ -332,6 +332,8 @@ jobs:
     name: Desktop Release (Windows)
     if: ${{ startsWith(github.ref, 'refs/tags/v') }}
     runs-on: [ self-hosted, windows, desktop ]
+    env:
+      TAURI_PUBLIC_KEY: ${{ secrets.TAURI_PUBLIC_KEY }}
     defaults:
       run:
         working-directory: apps/desktop
@@ -363,11 +365,11 @@ jobs:
           projectPath: apps/desktop
 
       - name: Inject Tauri public key (post)
-        if: ${{ secrets.TAURI_PUBLIC_KEY != '' }}
-        env:
-          TAURI_PUBLIC_KEY: ${{ secrets.TAURI_PUBLIC_KEY }}
+        if: ${{ env.TAURI_PUBLIC_KEY != '' }}
+        shell: pwsh
         run: |
-          sed -i "s/REPLACE_WITH_TAURI_PUBLIC_KEY/${TAURI_PUBLIC_KEY//\//\\\/}/" apps/desktop/src-tauri/tauri.conf.json || true
+          $p = 'apps/desktop/src-tauri/tauri.conf.json'
+          (Get-Content $p) -replace 'REPLACE_WITH_TAURI_PUBLIC_KEY', $env:TAURI_PUBLIC_KEY | Set-Content $p
 
       - name: Upload latest.json + bundles to VPS
         uses: appleboy/scp-action@v0.1.7
diff --git a/.github/workflows/desktop-release.yml b/.github/workflows/desktop-release.yml
index 6efb576..9c89ed1 100644
--- a/.github/workflows/desktop-release.yml
+++ b/.github/workflows/desktop-release.yml
@@ -13,6 +13,8 @@ jobs:
   build:
     name: Build ${{ matrix.platform }}
     runs-on: ${{ matrix.runner }}
+    env:
+      TAURI_PUBLIC_KEY: ${{ secrets.TAURI_PUBLIC_KEY }}
     strategy:
       fail-fast: false
       matrix:
@@ -50,14 +52,19 @@ jobs:
       - name: Install pnpm deps
         run: pnpm -C apps/desktop install --frozen-lockfile
 
-      - name: Inject Tauri public key
-        if: ${{ secrets.TAURI_PUBLIC_KEY != '' }}
-        env:
-          TAURI_PUBLIC_KEY: ${{ secrets.TAURI_PUBLIC_KEY }}
+      - name: Inject Tauri public key (Linux/macOS)
+        if: ${{ env.TAURI_PUBLIC_KEY != '' && matrix.platform != 'windows' }}
         run: |
           set -euo pipefail
           sed -i "s/REPLACE_WITH_TAURI_PUBLIC_KEY/${TAURI_PUBLIC_KEY//\//\\\/}/" apps/desktop/src-tauri/tauri.conf.json
 
+      - name: Inject Tauri public key (Windows)
+        if: ${{ env.TAURI_PUBLIC_KEY != '' && matrix.platform == 'windows' }}
+        shell: pwsh
+        run: |
+          $p = 'apps/desktop/src-tauri/tauri.conf.json'
+          (Get-Content $p) -replace 'REPLACE_WITH_TAURI_PUBLIC_KEY', $env:TAURI_PUBLIC_KEY | Set-Content $p
+
       - name: Build desktop
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}