From 2ebe3c57f167ba45e5ad16b513b627a959e1d152 Mon Sep 17 00:00:00 2001 From: Aditya Date: Mon, 29 Jun 2026 17:20:02 +0530 Subject: [PATCH 1/2] fix(ci): sanitize TAURI_SIGNING_PRIVATE_KEY before tauri build to remove trailing terminal prompt artifact (%) or URL encoding --- .github/workflows/release.yml | 12 +++++++++++- AUDIT_LOG.md | 10 ++++++++++ CHANGELOG.md | 3 +++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 700f3d1..224c391 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,11 +56,21 @@ jobs: - run: npm ci + - name: Sanitize Tauri Signing Key + env: + RAW_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} + run: | + CLEAN_KEY=$(echo -n "$RAW_KEY" | python3 -c "import sys, urllib.parse; k = sys.stdin.read().strip(); k = k[:-1] if k.endswith('%') else k; k = urllib.parse.unquote(k) if '%' in k else k; print(k, end='')") + echo "::add-mask::$CLEAN_KEY" + echo "TAURI_SIGNING_PRIVATE_KEY<> $GITHUB_ENV + echo "$CLEAN_KEY" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + - name: Build and Upload Tauri App uses: tauri-apps/tauri-action@fce9c6108b31ea247710505d3aaaa893ee6768d4 # v0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} + TAURI_SIGNING_PRIVATE_KEY: ${{ env.TAURI_SIGNING_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} with: tagName: ${{ needs.create-tag.outputs.new_tag }} diff --git a/AUDIT_LOG.md b/AUDIT_LOG.md index 854a378..4719f65 100644 --- a/AUDIT_LOG.md +++ b/AUDIT_LOG.md @@ -2,6 +2,16 @@ This log tracks all significant changes, updates, and versions in the PaperCache project. +## 2026-06-29 (CI Signing Key Sanitization Fix) +**Change:** fix(ci): sanitize `TAURI_SIGNING_PRIVATE_KEY` before `tauri build` to strip trailing terminal prompt artifacts (`%`) or URL encoding + +**Details/Why:** +1. **Secret Key Sanitization**: When copying private keys from macOS Zsh terminals without trailing newlines (`cat ~/.tauri/papercache.key`), Zsh appends an inverted `%` symbol at EOF. When pasted into GitHub repository secrets, this trailing `%` causes base64 decoding errors (`Invalid symbol 37, offset 348`). Added a pre-build workflow step in `.github/workflows/release.yml` to automatically strip trailing `%` symbols and decode URL encoding before running `tauri-action`. + +**Files changed:** `.github/workflows/release.yml`, `CHANGELOG.md`, `AUDIT_LOG.md`. + +--- + ## 2026-06-29 (v0.5.7 Release: Auto-Update Overhaul, On-Demand Update Checks, and Build Fixes) **Change:** chore(release): bump version to 0.5.7; feat(updater): overhaul auto-update flow with real-time UI feedback ("Checking…"), toast notification with "Restart Now" button, and manifest configuration; fix(api): update `onEvent` listener helper to forward payloads to callbacks fixing TS2345 strict build error diff --git a/CHANGELOG.md b/CHANGELOG.md index d021a67..b090b8b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Fixed +- **Release Signing Key Sanitization**: Added automated workflow sanitization to strip trailing terminal prompt EOF symbols (`%`) or URL-encoding artifacts from `TAURI_SIGNING_PRIVATE_KEY` during CI builds. + ## [v0.5.7] - 2026-06-29 ### Added From b7782464497b31da1741c174c821b5820d353dbf Mon Sep 17 00:00:00 2001 From: Aditya Date: Mon, 29 Jun 2026 18:11:09 +0530 Subject: [PATCH 2/2] fix(ci): add explicit bash shell to sanitization step for cross-platform runner compatibility --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 224c391..3d5b68d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -57,6 +57,7 @@ jobs: - run: npm ci - name: Sanitize Tauri Signing Key + shell: bash env: RAW_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} run: |