Secrets cannot be used to condition job runs

[mzabaluev]

Describe the bug
The secrets context is apparently not available to if conditional expressions on jobs.

To Reproduce
Create and trigger a workflow with jobs conditioned on the value of a secret:

jobs:
  build_bulky_stuff:
    if: ${{ secrets.BUILD_BULKY_STUFF == 'true' }}
    # ...

Here's a real world example.

Expected behavior
The condition is successfully evaluated and if the secret value is set to 'true', the job is run.

Runner Version and Platform

Version of your runner? No idea, GitHub hosted.

OS of the machine running the runner? Linux

What's not working?

The workflow fails with:

The workflow is not valid. .github/workflows/release.yml (Line: 11, Col: 9): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.BUILD_RELEASES == 'true',.github/workflows/release.yml (Line: 35, Col: 9): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.BUILD_RELEASES == 'true'

Job Log Output

See this workflow run

[TingluoHuang]

I don't think we should support secrets in if conditional expression since you can't debug the expression evaluation result.

Today we printout debug info for evaluating condition, so when the condition result is not what you expected, you can base on the log to figure out whether it's a bug in the system or you provide the wrong input.

Ex:

##[debug]Evaluating: (success() && (runner.os != 'Windows'))
##[debug]Evaluating And:
##[debug]..Evaluating success:
##[debug]..=> true
##[debug]..Evaluating NotEqual:
##[debug]....Evaluating Index:
##[debug]......Evaluating runner:
##[debug]......=> Object
##[debug]......Evaluating String:
##[debug]......=> 'os'
##[debug]....=> 'macOS'
##[debug]....Evaluating String:
##[debug]....=> 'Windows'
##[debug]..=> true
##[debug]=> true
##[debug]Expanded: (true && ('macOS' != 'Windows'))
##[debug]Result: true

[mzabaluev]

I see. I assumed the secrets can be used in lieu of per-repository configuration values settable by the administrator, similar to how the ACTIONS_STEP_DEBUG secret is used by the runner to enable logs.

My need is to disable costly and potentially annoying actions in forks, unless the administrator of the fork enables them. We currently use if: ${{ github.repository_owner == 'our_org' }}, but it is annoying to have to disable these conditions in the workflow file when you need to test the workflows.

[TingluoHuang]

@mzabaluev you can do something like this.

if: ${{ github.repository_owner == 'our_org' || contains(github.event.head_commit.message, 'RUN TEST')}}

then if you want to run those costly steps, just put RUN TEST as part of your commit message.

I hope this can help.

[cjolowicz]

@TingluoHuang My use case is slightly different: I would like to skip steps that interact with an external service e.g. package repository if the API token is not present. It would be enough to be able to check if the secret exists, without inspecting the value. Any chance of that happening? It would be especially useful for project templates: Users often push their projects to a new GitHub repository before configuring the secrets.

[quisse]

Did anyone try assigning a secrets value to an output?

      - name: Assign variable
        id: secret
        run: echo '::set-output name=secret::${{secrets.SECRET}}'

      - name: Encode the project the project
        if: steps.secret.outputs.secret

[ejgyurisan]

Did anyone try assigning a secrets value to an output?

      - name: Assign variable
        id: secret
        run: echo '::set-output name=secret::${{secrets.SECRET}}'

      - name: Encode the project the project
        if: steps.secret.outputs.secret

You cannot use a secret in an output. Only star characters will be printed

[quisse]

The output in the log will be hidden by * but the value in the output variable will be the same as the secret.

[ejgyurisan]

Ok, I only tried to use it as an output of a job, not a step, maybe that was the problem. Not sure.

[ReenigneArcher]

In my case I wanted to check if a secret was null to enable disable a matrix job.

I thought this would work: if: secrets.SOMETHING != null would be sufficient; however I guess I was mistaken.

Anyway, this will not work. It will be true for every PR, even from outside collaborators.

if: github.repository_owner == 'our_org'

I ended up using this.

if: >-
  (github.event_name == 'pull_request' && github.event.pull_request.head.owner.login == 'org_name') ||
  (github.event_name == 'push' && github.ref == 'refs/heads/master')

If a pull request, the head owner must be our Org. (only issue is some org members work in their own forks)... or if a push to the default branch it will evaluate to true.

Another alternative is probably this.

if: github.secret_source == 'Actions'

or

if: github.secret_source != 'None'

Hope this is helpful for others.