Describe the bug
The secrets context is apparently not available to if conditional expressions on jobs.
To Reproduce
Create and trigger a workflow with jobs conditioned on the value of a secret:
jobs:
build_bulky_stuff:
if: ${{ secrets.BUILD_BULKY_STUFF == 'true' }}
# ...
Here's a real world example.
Expected behavior
The condition is successfully evaluated and if the secret value is set to 'true', the job is run.
Version of your runner? No idea, GitHub hosted.
OS of the machine running the runner? Linux
The workflow fails with:
The workflow is not valid. .github/workflows/release.yml (Line: 11, Col: 9): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.BUILD_RELEASES == 'true',.github/workflows/release.yml (Line: 35, Col: 9): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.BUILD_RELEASES == 'true'
I don't think we should support secrets in if conditional expression since you can't debug the expression evaluation result.
Today we printout debug info for evaluating condition, so when the condition result is not what you expected, you can base on the log to figure out whether it's a bug in the system or you provide the wrong input.
Ex:
##[debug]Evaluating: (success() && (runner.os != 'Windows'))
##[debug]Evaluating And:
##[debug]..Evaluating success:
##[debug]..=> true
##[debug]..Evaluating NotEqual:
##[debug]....Evaluating Index:
##[debug]......Evaluating runner:
##[debug]......=> Object
##[debug]......Evaluating String:
##[debug]......=> 'os'
##[debug]....=> 'macOS'
##[debug]....Evaluating String:
##[debug]....=> 'Windows'
##[debug]..=> true
##[debug]=> true
##[debug]Expanded: (true && ('macOS' != 'Windows'))
##[debug]Result: true
I see. I assumed the secrets can be used in lieu of per-repository configuration values settable by the administrator, similar to how the ACTIONS_STEP_DEBUG secret is used by the runner to enable logs.
My need is to disable costly and potentially annoying actions in forks, unless the administrator of the fork enables them. We currently use if: ${{ github.repository_owner == 'our_org' }}, but it is annoying to have to disable these conditions in the workflow file when you need to test the workflows.
@mzabaluev you can do something like this.
if: ${{ github.repository_owner == 'our_org' || contains(github.event.head_commit.message, 'RUN TEST')}}
then if you want to run those costly steps, just put RUN TEST as part of your commit message.
I hope this can help.
@TingluoHuang My use case is slightly different: I would like to skip steps that interact with an external service e.g. package repository if the API token is not present. It would be enough to be able to check if the secret exists, without inspecting the value. Any chance of that happening? It would be especially useful for project templates: Users often push their projects to a new GitHub repository before configuring the secrets.
Did anyone try assigning a secrets value to an output?
- name: Assign variable
id: secret
run: echo '::set-output name=secret::${{secrets.SECRET}}'
- name: Encode the project the project
if: steps.secret.outputs.secret
Did anyone try assigning a secrets value to an output?
- name: Assign variable id: secret run: echo '::set-output name=secret::${{secrets.SECRET}}' - name: Encode the project the project if: steps.secret.outputs.secret
You cannot use a secret in an output. Only star characters will be printed
The output in the log will be hidden by * but the value in the output variable will be the same as the secret.
Ok, I only tried to use it as an output of a job, not a step, maybe that was the problem. Not sure.
Most helpful comment
@TingluoHuang My use case is slightly different: I would like to skip steps that interact with an external service e.g. package repository if the API token is not present. It would be enough to be able to check if the secret exists, without inspecting the value. Any chance of that happening? It would be especially useful for project templates: Users often push their projects to a new GitHub repository before configuring the secrets.