mikecook
commented
2 years ago I think build's should build for PRs. This is useful for internal development (although whether the developer uses this workflow or not is up to them) to confirm that CI works before a release is tagged. If your builds only run on tagged releases chances are your releases will be broken the first time around when it comes time for them.
Reasonable, but it does depend on developer workflow, and that hasn't been established yet.
Also GitHub has some plumbing to block CI runs on PRs for first time contributors, and for returning contributors having builds in place serves a purpose.
That plumbing is already enabled for this repo, but because environment secrets don't get passed it leads to breakage when secrets are involved.
I suggest instead fixing the builds so the signing step is optional and only runs when the source repo is this repo and run everything else as normal.
That's my favorite solution, ...and I just figured out how to do that, revising PR
FiloSottile
Environmental secrets are not shared to workflows run from forks without extra work by Maintainers.
The existing build workflow uses a secret to sign windows exe's and is breaking for all external PRs.
See: https://github.com/FiloSottile/age/pull/353#issuecomment-997159334