diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
index e994f79dc..2e11d98cb 100644
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@@ -53,8 +53,20 @@ jobs:
         # we want this to run always, except on "push" to "master"
         if: github.event_name != 'push' || github.ref != 'master'
         uses: ./actions/build_no_publish
+        with:
+          MAC_CERTIFICATE: ${{ secrets.MAC_CERTIFICATE }}
+          MAC_CERTIFICATE_PASSWORD: ${{ secrets.MAC_CERTIFICATE_PASSWORD }}
+          SIGNING_APPLE_ID: ${{ secrets.SIGNING_APPLE_ID }}
+          SIGNING_APP_PASSWORD: ${{ secrets.SIGNING_APP_PASSWORD }}
+          SIGNING_TEAM_ID: ${{ secrets.SIGNING_TEAM_ID }}
 
       - name: Build & publish
         # we want this to run only when on "push" to "master"
         if: github.event_name == 'push' && github.ref == 'master'
         uses: ./actions/build_publish
+        with:
+          MAC_CERTIFICATE: ${{ secrets.MAC_CERTIFICATE }}
+          MAC_CERTIFICATE_PASSWORD: ${{ secrets.MAC_CERTIFICATE_PASSWORD }}
+          SIGNING_APPLE_ID: ${{ secrets.SIGNING_APPLE_ID }}
+          SIGNING_APP_PASSWORD: ${{ secrets.SIGNING_APP_PASSWORD }}
+          SIGNING_TEAM_ID: ${{ secrets.SIGNING_TEAM_ID }}
diff --git a/actions/build_no_publish/action.yml b/actions/build_no_publish/action.yml
index 3830059fa..fc2c23c83 100644
--- a/actions/build_no_publish/action.yml
+++ b/actions/build_no_publish/action.yml
@@ -1,5 +1,22 @@
 name: 'Build Only (no publish)'
 description: 'Build only (no publish)'
+inputs:
+  MAC_CERTIFICATE:
+    description: 'MAC_CERTIFICATE (mac build only)'
+    required: true
+  MAC_CERTIFICATE_PASSWORD:
+    description: 'MAC_CERTIFICATE_PASSWORD (mac build only)'
+    required: true
+  SIGNING_APPLE_ID:
+    description: 'SIGNING_APPLE_ID (mac build only)'
+    required: true
+  SIGNING_APP_PASSWORD:
+    description: 'SIGNING_APP_PASSWORD (mac build only)'
+    required: true
+  SIGNING_TEAM_ID:
+    description: 'SIGNING_TEAM_ID (mac build only)'
+    required: true
+
 runs:
   using: 'composite'
   steps:
@@ -15,11 +32,11 @@ runs:
         source ./build/setup-mac-certificate.sh
         $(yarn bin)/electron-builder --config.extraMetadata.environment=$SIGNAL_ENV --config.mac.bundleVersion=${{ github.ref }} --publish=never --config.directories.output=release
       env:
-        MAC_CERTIFICATE: ${{ secrets.MAC_CERTIFICATE }}
-        MAC_CERTIFICATE_PASSWORD: ${{ secrets.MAC_CERTIFICATE_PASSWORD }}
-        SIGNING_APPLE_ID: ${{ secrets.SIGNING_APPLE_ID }}
-        SIGNING_APP_PASSWORD: ${{ secrets.SIGNING_APP_PASSWORD }}
-        SIGNING_TEAM_ID: ${{ secrets.SIGNING_TEAM_ID }}
+        MAC_CERTIFICATE: ${{ inputs.MAC_CERTIFICATE }}
+        MAC_CERTIFICATE_PASSWORD: ${{ inputs.MAC_CERTIFICATE_PASSWORD }}
+        SIGNING_APPLE_ID: ${{ inputs.SIGNING_APPLE_ID }}
+        SIGNING_APP_PASSWORD: ${{ inputs.SIGNING_APP_PASSWORD }}
+        SIGNING_TEAM_ID: ${{ inputs.SIGNING_TEAM_ID }}
 
     - name: Build linux production binaries
       shell: bash