Security: restrict Apple Developer secrets to distribution-only CI builds

[Copilot]

Apple Developer secrets (CERTIFICATE_NAME, APPLE_ID, APPLE_TEAM_ID, APPLE_APP_SPECIFIC_PASSWORD) were injected into the macOS build step's process environment on every CI run — including routine pushes to main — not just when signing/notarizing a distribution artifact.

Changes

• Split the macOS build step into two mutually-exclusive steps:
  • Build .app (not distributing) — no secrets; runs on all non-distribution CI runs
  • Build .app and disk image (distributing) — Apple secrets injected; gated on build_dist_artifact == 'true' via workflow_dispatch
• Update the "Upload py2app logs" failure check to reference both new step IDs.

Other findings (not fixed)

Finding	Risk
First-party Actions pinned to major version tags (@v4, @v5) rather than immutable SHAs	Low–Medium
Third-party action egor-tensin/setup-gcc@v1 pinned to a floating tag	Low — only used in opt-in ASAN builds
Completely unpinned deps: boto3 = "*", truststore = "*", apsw = "*", wmi = "*"	Low–Medium — mitigated by poetry.lock in development
Public fork access to secrets	None — workflow never triggers on pull_request; GitHub blocks fork secret access by default

Original prompt

Audit Crystal for any supply chain vulnerabilities, such as unpinned dependency versions, unnecessary exposure of secrets to CI runs that don't require them, ability for a public fork to run CI jobs in a way that accesses the original repository's secrets, etc.

Do any obvious fixes, if any. Report on all findings, including issues not fixed.

Suspected existing issues: All CI jobs have access to the Apple Developer secrets even when not performing a publish operation.

---

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.