Fail release builds with empty OAuth secret

[mokagio]

Rationale

In #13's review, @iangmaia flagged that the Makefile recipe injecting WPCOMOAuthClientSecret had no validation: if WPCOM_OAUTH_CLIENT_SECRET was unset (or its file path empty) the plutil -replace call still ran with an empty string, so the build could happily produce a signed-and-notarized artifact that authenticates as nobody. CI's .buildkite/commands/build.sh invokes make release directly, so the upfront env check in Tools/manual-release.sh didn't cover it.

This PR extracts the post-build verification into Tools/verify-oauth-secret.sh and makes notarize-app depend on it, so every artifact-producing path (make zip, make release, Tools/manual-release.sh) runs the same check. The default make target stays untouched — dev iteration without a secret keeps working.

Gotcha

The inline check that used to live in manual-release.sh had a latent bug:

SECRET_LENGTH=$(plutil -extract WPCOMOAuthClientSecret raw -o - "$plist" | wc -c | tr -d ' ')
[ "$SECRET_LENGTH" -eq 0 ] && die ...

plutil -extract … raw emits a trailing newline, so wc -c returned 1 for the empty case and the guard never fired. The new script uses secret=$(plutil …) + [ -z "$secret" ]; command substitution strips the newline, so both the empty-string and missing-key cases trip the check. See the commit body for more.

How to test

From a clean tree (in the worktree):

make clean && make verify-oauth-secret
# → build succeeds, then exits 1: "missing WPCOMOAuthClientSecret"

make clean && WPCOM_OAUTH_CLIENT_SECRET=test-value make verify-oauth-secret
# → build succeeds, verify exits 0 silently

make --dry-run release will show Tools/verify-oauth-secret.sh running after the build and before Tools/notarize.sh, so a missing secret fails fast (no wasted notary-service round-trip).

CI on this branch exercises the happy path.

[Copilot]

Pull request overview

This PR adds a shared, post-build verification step to ensure release/packaging builds fail if the WordPress.com OAuth client secret wasn’t injected into the app bundle, preventing signed/notarized artifacts that cannot authenticate.

Changes:

• Added Tools/verify-oauth-secret.sh to validate WPCOMOAuthClientSecret in the built app’s Info.plist.
• Updated Tools/manual-release.sh to call the new verifier instead of duplicating the check inline.
• Updated Makefile to add a verify-oauth-secret target and make notarize-app depend on it so all artifact-producing paths run the check.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
Tools/verify-oauth-secret.sh	New script to validate the OAuth secret exists and is non-empty in the built app bundle.
Tools/manual-release.sh	Replaces inline secret validation with a call to the shared verifier script.
Makefile	Adds verify-oauth-secret target and wires it into the notarization/release chain.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mokagio]

Good point — confirmed WPCOMClient.swift trims clientSecret with .whitespacesAndNewlines, so a whitespace-only value would authenticate as nobody just like an empty one. Fixed in 12eca98: the check now strips all whitespace before the -z test, so empty and whitespace-only values both fail. Verified against empty, whitespace-only, and real-value fixtures.

Posted by Claude (Opus 4.7) on behalf of @mokagio with approval.