From 0c07c2847b94dca20fa28043e9bd1e9e343815b4 Mon Sep 17 00:00:00 2001
From: Peter Dragun <peter.dragun@espressif.com>
Date: Tue, 21 Apr 2026 13:14:17 +0200
Subject: [PATCH] fix: restrict binary signing to espressif org push events
 only

Signing was running on all builds including PRs. Since secrets are
accessible on internal PRs, unreviewed code could be signed before
merge. Now signing only runs on push events in the espressif org,
ensuring only merged code gets signed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 README.md  | 3 +++
 action.yml | 9 ++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 9da972f..3b81c05 100644
--- a/README.md
+++ b/README.md
@@ -174,6 +174,9 @@ If you would like to sign Windows binaries, you can configure Azure Key Vault cr
 
 The action uses the [espressif/release-sign](https://github.com/espressif/release-sign) action internally, which requires Azure credentials to access a certificate stored in Azure Key Vault. If the Azure client secret is not set, signing will be skipped with a warning message.
 
+> [!NOTE]
+> Signing only runs on `push` and `release` events within the `espressif` GitHub organization. Pull request builds will compile and test the binary but skip signing, even if Azure credentials are provided. This ensures only reviewed and merged code is signed.
+
 To enable signing, you must explicitly pass the Azure credentials as inputs from your workflow. Set the following secrets in your repository and pass them to the action:
 
 ```yaml
diff --git a/action.yml b/action.yml
index 902a629..fbc09a4 100644
--- a/action.yml
+++ b/action.yml
@@ -262,14 +262,16 @@ runs:
 
     - name: Check signing certificate
       if: |
-        inputs.target-platform == 'windows-amd64' && inputs.azure-client-secret == ''
+        inputs.target-platform == 'windows-amd64' && inputs.azure-client-secret == '' &&
+        (github.event_name == 'push' || github.event_name == 'release') && github.repository_owner == 'espressif'
       shell: pwsh
       run: |
         Write-Host "::warning title=Signing::Azure client secret is not set, skipping signing"
 
     - name: Sign binaries
       if: |
-        inputs.target-platform == 'windows-amd64' && inputs.azure-client-secret != ''
+        inputs.target-platform == 'windows-amd64' && inputs.azure-client-secret != '' &&
+        (github.event_name == 'push' || github.event_name == 'release') && github.repository_owner == 'espressif'
       uses: espressif/release-sign@master
       with:
         path: ${{ inputs.output-dir }}
@@ -281,6 +283,7 @@ runs:
 
     - name: Remove leftover signature files
       if: |
-        inputs.target-platform == 'windows-amd64' && inputs.azure-client-secret != ''
+        inputs.target-platform == 'windows-amd64' && inputs.azure-client-secret != '' &&
+        (github.event_name == 'push' || github.event_name == 'release') && github.repository_owner == 'espressif'
       shell: bash
       run: find ./${{ inputs.output-dir }} -name "*.sig" -type f -delete