fix: CI 解码 base64 证书为 .p12 文件后传给 CSC_LINK

electron-builder 把 base64 字符串当文件路径解析导致构建失败。
改为先 base64 --decode 写入 /tmp/cert.p12，CSC_LINK 指向文件路径。
同时加 HAS_CERT 环境变量控制签名/验证步骤的条件执行。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 7418

.github/workflows/build.yml

@@ -54,6 +54,8 @@ jobs:
   build-macos:
     if: ${{ github.event_name == 'push' || inputs.platform == 'all' || inputs.platform == 'macos' }}
     runs-on: macos-latest
+    env:
+      HAS_CERT: ${{ secrets.MAC_CERT_P12_BASE64 != '' && 'true' || 'false' }}
     steps:
       - uses: actions/checkout@v4
 
@@ -68,16 +70,23 @@ jobs:
       - name: Build Electron app
         run: npm run electron:build
 
+      - name: Decode signing certificate
+        if: ${{ env.HAS_CERT == 'true' }}
+        env:
+          MAC_CERT_P12_BASE64: ${{ secrets.MAC_CERT_P12_BASE64 }}
+        run: echo "$MAC_CERT_P12_BASE64" | base64 --decode > /tmp/cert.p12
+
       - name: Package for macOS (x64 + arm64)
         env:
-          CSC_LINK: ${{ secrets.MAC_CERT_P12_BASE64 }}
+          CSC_LINK: ${{ env.HAS_CERT == 'true' && '/tmp/cert.p12' || '' }}
           CSC_KEY_PASSWORD: ${{ secrets.MAC_CERT_PASSWORD }}
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
         run: npx electron-builder --mac --config electron-builder.yml --publish never
 
       - name: Verify code signature
+        if: ${{ env.HAS_CERT == 'true' }}
         run: |
           # Verify every .app bundle produced (arm64 + x64)
           APPS=$(find release -name "CodePilot.app" -maxdepth 3)