Repository Secrets
En Parlant~ uses GitHub Actions to build release binaries for Windows, macOS, and Linux. The CI pipeline needs credentials for code signing, update signing, virus scanning, and the multiplayer relay URL. These are stored as GitHub repository secrets — encrypted values that GitHub injects into workflow runs but never displays.
If you fork En Parlant~ and want to produce your own signed builds, you’ll need to set up your own secrets. The builds will still compile without them, but the binaries won’t be signed, updates won’t verify, and the VirusTotal scan step will be skipped.
The Secrets
Section titled “The Secrets”Azure Trusted Signing (Windows code signing)
Section titled “Azure Trusted Signing (Windows code signing)”Windows users get a SmartScreen warning (“Windows protected your PC”) when they run an unsigned .exe. Code signing eliminates that warning and tells Windows the binary comes from a verified publisher.
En Parlant~ uses Azure Trusted Signing for this. The Tauri build invokes trusted-signing-cli during the Windows build step, which talks to Azure to sign the executable.
| Secret | Purpose |
|---|---|
AZURE_CLIENT_ID | Service principal app ID |
AZURE_CLIENT_SECRET | Service principal credential |
AZURE_TENANT_ID | Azure AD tenant |
AZURE_SUBSCRIPTION_ID | Azure subscription |
AZURE_CODE_SIGNING_ACCOUNT | Trusted Signing account name |
AZURE_CODE_SIGNING_ENDPOINT | Trusted Signing endpoint URL |
AZURE_CODE_SIGNING_PROFILE | Certificate profile name |
To set up your own: Create an Azure account, set up a Trusted Signing resource, create a certificate profile, and register a service principal with the appropriate permissions. Microsoft’s Trusted Signing quickstart walks through the process.
If you skip this: Windows builds still work, but your users will be greeted by the dreaded blue SmartScreen of Death — you know the one. We’ve all clicked “Run anyway” and hoped for the best. macOS and Linux builds are unaffected.
Tauri Update Signing
Section titled “Tauri Update Signing”Tauri’s built-in updater verifies that updates come from the real publisher, not a tampered source. When the app checks for a new version, it downloads the update and verifies its signature against a public key embedded in the app. The private key that creates those signatures lives in CI.
| Secret | Purpose |
|---|---|
TAURI_PRIVATE_KEY | Ed25519 private key for signing updates |
TAURI_KEY_PASSWORD | Password protecting the private key |
To set up your own: Generate a keypair with pnpm tauri signer generate. Put the private key and password in your repo secrets, and the public key in tauri.conf.json under plugins.updater.pubkey.
If you skip this: The app builds fine, but the auto-updater won’t work. Users would need to download new versions manually.
VirusTotal
Section titled “VirusTotal”After building release artifacts, the CI pipeline uploads every binary (.exe, .dmg, .deb, .rpm, .AppImage) to VirusTotal for automated malware scanning. This is a trust signal — users can verify that the official builds are clean.
| Secret | Purpose |
|---|---|
VIRUSTOTAL_API_KEY | API key for the VirusTotal v3 API |
To set up your own: Create a free VirusTotal account and copy your API key from your profile.
If you skip this: The VirusTotal scan step fails silently. Builds still succeed and release normally — you just won’t have automated scan results.
Multiplayer Relay URL
Section titled “Multiplayer Relay URL”The multiplayer relay server URL is injected at build time so the app knows where to connect for online games.
| Secret | Purpose |
|---|---|
VITE_RELAY_URL | WebSocket URL for the multiplayer relay (e.g., wss://your-relay.fly.dev) |
To set up your own: Deploy your own relay server (see the Multiplayer Server setup guide) and set this to its public URL.
If you skip this: Multiplayer still works if you set the relay URL in the app’s settings at runtime. This secret just sets the default so users don’t have to configure it manually.
Summary
Section titled “Summary”| Secret Group | Required for | Can you skip it? |
|---|---|---|
| Azure (7 secrets) | Signed Windows builds | Yes — builds work, users get SmartScreen warning |
| Tauri (2 secrets) | Auto-updater | Yes — builds work, no auto-update |
| VirusTotal (1 secret) | Malware scan reports | Yes — builds work, no scan results |
| Relay URL (1 secret) | Default multiplayer server | Yes — users can set it in app settings |
None of these secrets are required to build and run the app locally. They only matter for CI/CD release builds.