Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Secrets cannot be used to condition job runs

See original GitHub issue

Describe the bug The secrets context is apparently not available to if conditional expressions on jobs.

To Reproduce Create and trigger a workflow with jobs conditioned on the value of a secret:

jobs:
  build_bulky_stuff:
    if: ${{ secrets.BUILD_BULKY_STUFF == 'true' }}
    # ...

Here’s a real world example.

Expected behavior The condition is successfully evaluated and if the secret value is set to 'true', the job is run.

Runner Version and Platform

Version of your runner? No idea, GitHub hosted.

OS of the machine running the runner? Linux

What’s not working?

The workflow fails with:

The workflow is not valid. .github/workflows/release.yml (Line: 11, Col: 9): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.BUILD_RELEASES == 'true',.github/workflows/release.yml (Line: 35, Col: 9): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.BUILD_RELEASES == 'true'

Job Log Output

See this workflow run

Issue Analytics

State:
Created 3 years ago
Reactions:32
Comments:21 (2 by maintainers)

Top GitHub Comments

60reactions

TingluoHuangcommented, Jun 8, 2020

I don’t think we should support secrets in if conditional expression since you can’t debug the expression evaluation result.

Today we printout debug info for evaluating condition, so when the condition result is not what you expected, you can base on the log to figure out whether it’s a bug in the system or you provide the wrong input.

Ex:

##[debug]Evaluating: (success() && (runner.os != 'Windows'))
##[debug]Evaluating And:
##[debug]..Evaluating success:
##[debug]..=> true
##[debug]..Evaluating NotEqual:
##[debug]....Evaluating Index:
##[debug]......Evaluating runner:
##[debug]......=> Object
##[debug]......Evaluating String:
##[debug]......=> 'os'
##[debug]....=> 'macOS'
##[debug]....Evaluating String:
##[debug]....=> 'Windows'
##[debug]..=> true
##[debug]=> true
##[debug]Expanded: (true && ('macOS' != 'Windows'))
##[debug]Result: true

48reactions

cjolowiczcommented, Aug 14, 2020

@TingluoHuang My use case is slightly different: I would like to skip steps that interact with an external service e.g. package repository if the API token is not present. It would be enough to be able to check if the secret exists, without inspecting the value. Any chance of that happening? It would be especially useful for project templates: Users often push their projects to a new GitHub repository before configuring the secrets.

Top Results From Across the Web

Conditionally execute github action based on secrets

This action allows the github actions to succeed (or fail) if secrets are not set. Use it to your liking and let me...

Set secret variables - Azure Pipelines

Secret variables are encrypted variables that you can use in pipelines ... The Make secrets available to whole job option is not currently ......

Define variables - Azure Pipelines

Variables are name-value pairs defined by you for use in a pipeline. You can use variables as inputs to tasks and in your...

Permissions reference for AWS Secrets Manager

Actions Description Access level Resource types... DeleteSecret Grants permission to delete a secret Write Secret* DeleteSecret Grants permission to delete a secret Write ListSecrets Grants permission...

Secrets Management

This means that secrets cannot be used in the secret_* settings. Secrets are always strings, you cannot use them to set an integer...