I'm looking for a way to check if the owner of the repository has set some variable.
Usecase:
I'm a contributor of diyhue, and I want to setup a generic github action to test the app, this should be done for every user, and publish it to docker hub if the owner of the fork has set the secret DOCKER_USERNAME.
That way the github action will only run the publish step if the user configured the required secrets. But the test will always run, resulting in a green checkmark telling changes from the user aren't breaking the code.
I could not find a way to stop the execution of the github actions if secrets where not set. So I build my own action to do just that.
https://github.com/marketplace/actions/secret-input-gate
This action allows the github actions to succeed (or fail) if secrets are not set. Use it to your liking and let me know what you think. Code is completely open-source, so you can make sure I’m not stealing any tokens.
I found an alternative following this issue discussion
As you can't manipulate secrets in an if (conditional) expression (they won't be recognised by the GHA interpreter), a workaround could be to create a job to check if the secret variable is present or not, set the result as an output, an then manipulate it on other jobs as you wish.
Example with DOCKER_USERNAME:
check-secret:
runs-on: ubuntu-latest
outputs:
my-key: ${{ steps.my-key.outputs.defined }}
steps:
- id: my-key
env:
MY_KEY: ${{ secrets.DOCKER_USERNAME }}
if: "${{ env.MY_KEY != '' }}"
run: echo "::set-output name=defined::true"
job1:
runs-on: ubuntu-latest
needs: [check-secret]
if: needs.check-secret.outputs.my-key == 'true'
steps:
- run: echo "This command is executed if DOCKER_USERNAME secret IS NOT empty"
job2:
runs-on: ubuntu-latest
needs: [check-secret]
if: needs.check-secret.outputs.my-key != 'true'
steps:
- run: echo "This command is executed if DOCKER_USERNAME secret IS empty"
Related
I'm using github environments in my github workflow. I want to read the environment name in a step of a job.
According to this documentation. It seems that the job context does not have that information. Is it any other way to achieve this?
Basically this is what i want to achieve:
jobs:
deployment:
name: Deploy to dev
environment: dev
runs-on: ubuntu-latest
steps:
- run: echo ${{ job.environment.name }}
# Expected to print 'dev'
you should use: jobs.<job_id>.environment.
See in docs: https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment
I currently have a GitHub Action that triggers on:
pull_request_review:
types: [submitted]
I then want to run a command, which expects the contents of changes of the Pull Request.
Previously, I was using
on:
push
and I had no issues with the contents of the files being available in the Action context.
However, my command is failing now, and I think it's because the context only includes the commit that the action was triggered on (no file changes.)
Previously I was running this action on push and that was always successful, with the file changes being available in the context.
I'm using:
steps:
- uses: actions/checkout#v2
(https://github.com/actions/checkout)
Is it possible to use this to have all the file changes on the Pull Request within the Action context?
Any help on this would be appreciated!
You can do that by using an open source Action available on marketplace:
jobs:
build:
runs-on: ubuntu-latest # windows-latest | macos-latest
name: Test changed-files
steps:
- uses: actions/checkout#v2
with:
fetch-depth: 0 # OR "2" -> To retrieve the preceding commit.
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files#v14.6
- name: List all changed files
run: |
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
echo "$file was changed"
done
The solution above uses git checkout and git diff to get files changed by PR. Alternatively if you really need just information about paths changed and you don't really need files themselves (no checkout) - you can do it without checkout using gh CLI:
gh pr view XXX --json files -q '.files[].path'
You can run it like this:
jobs:
comment:
runs-on: ubuntu-latest
steps:
- run: gh pr view XXX --json files -q '.files[].path'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
I'm trying to organize my workflow artifacts (on a self-hosted runner) using a structure similar to this:
c:\github\artifacts\{org}\{repo}\{runid}
Different organizations in our enterprise COULD have a repository with the same name, so I wanted to be able to organize by organization name.
I have this so far:
c:\github\artifacts\{org}\{${{ github.event.repository.name }}\${{ github.run_id }}\
How can I determine the organization name?
You can get that from github context. Here are few that might be of use:
${{ github.repository }}
${{ github.repository_owner }}
If you don't know what are the values and which env variables are available to runner, you can just run env in a step to print it out, like so:
name: Print environment variables
on:
workflow_dispatch:
jobs:
debug:
runs-on: ubuntu-latest
steps:
- name: Print
run: env | sort
I have a simple workflow:
name: Test CI
env:
path_to_watch_for_commits: 'testdir/testfile'
on:
push:
branches:
- master
paths:
- ${{ env.path_to_watch_for_commits }}
workflow_dispatch:
jobs:
build:
runs-on: ubuntu
steps:
- uses: actions/checkout#v2
I want to use variable path_to_watch_for_commits in paths. But this syntax is wrong. Also i try ${{ path_to_watch_for_commits }} and $path_to_watch_for_commits with no results. What am i doing wrong?
There is a Naming conventions for environment variables explaining that:
Any new environment variables you set that point to a location on the filesystem should have a _PATH suffix. The HOME and GITHUB_WORKSPACE default variables are exceptions to this convention because the words "home" and "workspace" already imply a location.
Regarding the use of environment variables at different levels inside the workflow, here is an example with WORKFLOW, JOB and STEP variables:
name: Example
on: [push, workflow_dispatch]
env:
WORKFLOW_VARIABLE: WORKFLOW
jobs:
test:
runs-on: ubuntu-latest
env:
JOB_VARIABLE: JOB
steps:
- name: Run Commands with various variables
if: ${{ env.WORKFLOW_VARIABLE == 'WORKFLOW' }}
env:
STEP_VARIABLE: STEP
run: |
echo "Hello World"
echo "This is the $WORKFLOW_VARIABLE environment variable"
echo "This is the $JOB_VARIABLE environment variable"
echo "This is the $STEP_VARIABLE environment variable"
Regarding the possibility of the behaviour you want to achieve in your workflow, you can't set variables at the workflow and use them as paths on the same level, because:
Variables are substituted in the runner operating system after the job
is sent to the runner.
Reference
A workaround could be to trigger the workflow every time on push event, using the paths-filter action with an if conditional to execute specific steps if it match your paths.
It's not the best solution regarding optimisation, but it will work.
I've seen other SO answers but none of them seem to work. I guess I'm just trying to do something pretty simple with Github Actions. Just make a access_key available to my github action, without putting it in my github repo. So I see we can create action secrets that should be passed to the github action. I also understand we cant just log secret keys for security, so I would expect *** instead when trying to log. For the life of me I can't figure out why the secrets are not *** but they are empty. And even when Im using them in my scripts, they don't appear to have any value to them. Here is my workflow thats relevant
name: CI
on:
push:
branches:
- master
env:
AWS_S3_BUCKET: ${{ secrets.AWS_PRODUCTION_BUCKET_NAME }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: ${{ secrets.AWS_REGION }}
jobs:
deploy:
runs-on: ubuntu-latest
env:
CI: true
strategy:
matrix:
node-version: [14.x]
steps:
- uses: actions/checkout#v1
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node#v1
with:
node-version: ${{ matrix.node-version }}
publish_dir: ./build
- name: Test Env
run: |
echo 'The GitHub Action Secret will be masked: '
echo ${{ secrets.GITHUB_TOKEN }}
echo 'Testing secret if its masked: '
printenv
When I run this, I see that GITHUB_TOKEN is indeed ***, which makes sense. But all the secrets that I've added to my repository settings > secrets > action secrets, they are just blank, not *** and if i try to use them via ${{ secrets.AWS_ACCESS_KEY }} its also blank.
My repo is public, I am pushing to master as well. I have admin rights to my repo.
In my case I hadn't referenced the environment containing the secrets from my script. Eventually found this in the documentation but it's incredibly frustrating that it just returns blank secrets instead of raising some kind of error message.
jobs:
myjobname:
runs-on: ubuntu-latest
environment: myenvironment # THIS WAS MISSING
steps:
# The steps in the action
Documentation link: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment
Ok looks like theres different kinds of secrets. I was adding Action Secrets which makes sense to me. I want secrets for Actions. Theres another section called Environment Secrets which when I put it in that, it worked. Kinda confusing.
One big problem I can see is that you are trying to access the secrets outside jobs. From the official documents here, it is done at the level of the steps through encryption.