Summary

• reject macOS auto-update checks when the installed app only has an ad-hoc or otherwise unsuitable code signature
• derive the updater cache directory from app-update.yml and ensure generated electron-builder metadata uses the OpenWork app name
• split macOS and Windows signing secrets in the desktop release workflow, while allowing explicitly opted-in unsigned prerelease test builds

Testing

• bun test apps/electron/src/main/tests/auto-update-signature.test.ts
• npx eslint src/main/auto-update.ts src/main/auto-update-signature.ts src/main/tests/auto-update-signature.test.ts
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/desktop-release.yml"); puts "workflow yaml ok"'\n- git diff --check\n- CRAFT_BRAND=openwork bun run electron:builder-config\n\n## Notes\nUnsigned prerelease builds are only for manual tester installs. They do not validate the macOS auto-update path.