How to check if a secret variable is empty in if conditional Github Actions

Question

Context

I want to check in my workflow if a secret is present or not before executing a job.

Something like this:

publish:
    runs-on: ubuntu-latest
    if: secrets.AWS_ACCESS_KEY_ID != ''
    steps:
      [ ... ]

However, I've got an error like this when using this expression:

The workflow is not valid. .github/workflows/release.yml (Line: 11, Col: 9): Unrecognized named-value: 'secrets'...

What I tried

I tried to wrote the expression another way:

if: ${{ secrets.AWS_ACCESS_KEY_ID != '' }}

if: ${{ secrets.AWS_ACCESS_KEY_ID }} != ''

Question

How to achieve what I want in a Github Actions workflow?

Answer 1

The Github Action interpreter currently doesn't identify the secrets key word when used in an if conditional expression. Therefore, you can't use the secrets.VARIABLE syntax there.

Instead, use the environment to carry a result of a secret check and then use an if conditional upon the non-secret result.

job.step Example:

job:
  runs-on: ubuntu-latest
  steps:
    - name: Check for Secret availability
      id: secret-check
      # perform secret check & put boolean result as an output
      shell: bash
      run: |
        if [ "${{ secrets.MY_KEY }}" != '' ]; then
          echo "available=true" >> $GITHUB_OUTPUT;
        else
          echo "available=false" >> $GITHUB_OUTPUT;
        fi

    - name: Check Inadequate Permissions
      if: ${{ steps.secret-check.outputs.available != 'true' }}
      # provide feedback for likely problem, note dependabot cannot access
      # secrets by default. Secondly, this step forces job failure due to
      # missing secret via `exit 1`
      shell: bash
      run: |
        if [ "${{ github.actor }}" == "dependabot[bot]" ]; then
          echo >&2 "Unable to access secrets as unprivileged dependabot.";
        else
          echo >&2 "Inadequate Permissions or missing secret value";
        fi
        exit 1

    - name: Execute Step requiring secret
      # If you didn't abort step above, then use this conditional
      # if: ${{ steps.secret-check.outputs.available == 'true' }}
      shell: bash
      # Key will be blocked out in log output but will be not empty
      run: |
        echo "This command is executed with non-empty key: \
          ${{ secrets.MY_KEY }}"

If you need to do this at the job level, create a separate check-secret job to validate the secrets and then share the result as a defined output.

Workflow Context Level Example:

jobs:

  check-secret:
    runs-on: ubuntu-latest
    outputs:
      my-key-exists: ${{ steps.my-key-check.outputs.defined }}
    steps:
      - name: Check for Secret availability
        id: my-key-check
        # perform secret check & put boolean result as an output
        shell: bash
        run: |
          if [ "${{ secrets.AWS_ACCESS_KEY_ID }}" != '' ]; then
            echo "defined=true" >> $GITHUB_OUTPUT;
          else
            echo "defined=false" >> $GITHUB_OUTPUT;
          fi

  job1:
    runs-on: ubuntu-latest
    needs: [check-secret]
    if: needs.check-secret.outputs.my-key-exists == 'true'
    steps:
      - run: echo "This command is executed if AWS_ACCESS_KEY_ID secret IS NOT empty"

  job2:
    runs-on: ubuntu-latest
    needs: [check-secret]
    if: needs.check-secret.outputs.my-key-exists != 'true'
    steps:
      - run: echo "This command is executed if AWS_ACCESS_KEY_ID secret IS empty"