Skip to content

Commit

Permalink
fix: only run Asana jobs if the secrets are present
Browse files Browse the repository at this point in the history 
This avoids failures when running on PRs from forks.

We do it in this convoluted way because you can't access secrets
directly from `if` blocks: actions/runner#520
  • Loading branch information
@paulswartz
paulswartz committed Jul 24, 2023
1 parent 1a9faa1 commit 4f4c6d5
Showing 1 changed file with 13 additions and 3 deletions.
16 changes: 13 additions & 3 deletions .github/workflows/asana.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,17 @@ on:
required: false
description: GitHub secret that Asana uses to fetch PR information.
jobs:
check-for-secrets:
runs-on: ubuntu-latest
outputs:
has-asana-token: ${{ secrets.asana-token != '' }}
has-github-secret: ${{ secrets.github-secret != '' }}
steps:
- run: true
move-to-merged-asana-ticket-job:
runs-on: ubuntu-latest
if: inputs.merged-section != '' && github.event.pull_request.merged == true && github.actor != 'dependabot[bot]'
needs: check-for-secrets
if: inputs.merged-section != '' && needs.check-for-secrets.output.has-asana-token == 'true' && github.event.pull_request.merged == true && github.actor != 'dependabot[bot]'
steps:
- name: Move ticket on merge
uses: mbta/[email protected]
Expand All @@ -42,7 +50,8 @@ jobs:
mark-complete: ${{ inputs.complete-on-merge }}
move-to-in-review-asana-ticket-job:
runs-on: ubuntu-latest
if: inputs.review-section != '' && github.event.action == 'review_requested' && github.actor != 'dependabot[bot]'
needs: check-for-secrets
if: inputs.review-section != '' && needs.check-for-secrets.output.has-asana-token == 'true' && github.event.action == 'review_requested' && github.actor != 'dependabot[bot]'
steps:
- name: Move ticket on review requested
uses: mbta/[email protected]
Expand All @@ -52,8 +61,9 @@ jobs:
target-section: ${{ inputs.review-section }}
create-asana-attachment-job:
runs-on: ubuntu-latest
needs: check-for-secrets
name: Create pull request attachments on Asana tasks
if: inputs.attach-pr && github.actor != 'dependabot[bot]'
if: inputs.attach-pr && needs.check-for-secrets.output.has-github-secret == 'true' && github.actor != 'dependabot[bot]'
steps:
- name: Create pull request attachments
uses: Asana/[email protected]
Expand Down

4 comments on commit 4f4c6d5

@thecristen
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@paulswartz I'm a little curious why we didn't make the two secrets required: true then?

@thecristen
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@paulswartz Looks like Dotcom and RTR both use this workflow, and we're both affected - after checking for secrets, the action skips all subsequent steps. I'm guessing that's due to this commit!

I'm not sure why this would stop working for us, but maybe it's this bug or some other quirk...

@paulswartz
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They're not required because these actions generally also run in forks, which don't have access to the secrets from the parent repository. @thecristen do you have an example workflow run when this happened?

@thecristen
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@paulswartz Dotcom, RTR
I've pinned our workflow to the previous SHA so it works again for us: working here

Please sign in to comment.