I want to check in my workflow if a secret is present or not before executing a job.
Something like this:
publish:
runs-on: ubuntu-latest
if: secrets.AWS_ACCESS_KEY_ID != ''
steps:
[ ... ]
However, I've got an error like this when using this expression:
The workflow is not valid. .github/workflows/release.yml (Line: 11, Col: 9): Unrecognized named-value: 'secrets'...
I tried to wrote the expression another way:
if: ${{ secrets.AWS_ACCESS_KEY_ID != '' }}
if: ${{ secrets.AWS_ACCESS_KEY_ID }} != ''
How to achieve what I want in a Github Actions workflow?
The Github Action interpreter currently doesn't identify the secrets
key word when used in an if
conditional expression. Therefore, you can't use the secrets.VARIABLE
syntax there.
Instead, use the environment to carry a result of a secret check and then use an if
conditional upon the non-secret result.
job.step Example:
job:
runs-on: ubuntu-latest
steps:
- name: Check for Secret availability
id: secret-check
# perform secret check & put boolean result as an output
shell: bash
run: |
if [ "${{ secrets.MY_KEY }}" != '' ]; then
echo "available=true" >> $GITHUB_OUTPUT;
else
echo "available=false" >> $GITHUB_OUTPUT;
fi
- name: Check Inadequate Permissions
if: ${{ steps.secret-check.outputs.available != 'true' }}
# provide feedback for likely problem, note dependabot cannot access
# secrets by default. Secondly, this step forces job failure due to
# missing secret via `exit 1`
shell: bash
run: |
if [ "${{ github.actor }}" == "dependabot[bot]" ]; then
echo >&2 "Unable to access secrets as unprivileged dependabot.";
else
echo >&2 "Inadequate Permissions or missing secret value";
fi
exit 1
- name: Execute Step requiring secret
# If you didn't abort step above, then use this conditional
# if: ${{ steps.secret-check.outputs.available == 'true' }}
shell: bash
# Key will be blocked out in log output but will be not empty
run: |
echo "This command is executed with non-empty key: \
${{ secrets.MY_KEY }}"
If you need to do this at the job level, create a separate check-secret
job to validate the secrets and then share the result as a defined output.
Workflow Context Level Example:
jobs:
check-secret:
runs-on: ubuntu-latest
outputs:
my-key-exists: ${{ steps.my-key-check.outputs.defined }}
steps:
- name: Check for Secret availability
id: my-key-check
# perform secret check & put boolean result as an output
shell: bash
run: |
if [ "${{ secrets.AWS_ACCESS_KEY_ID }}" != '' ]; then
echo "defined=true" >> $GITHUB_OUTPUT;
else
echo "defined=false" >> $GITHUB_OUTPUT;
fi
job1:
runs-on: ubuntu-latest
needs: [check-secret]
if: needs.check-secret.outputs.my-key-exists == 'true'
steps:
- run: echo "This command is executed if AWS_ACCESS_KEY_ID secret IS NOT empty"
job2:
runs-on: ubuntu-latest
needs: [check-secret]
if: needs.check-secret.outputs.my-key-exists != 'true'
steps:
- run: echo "This command is executed if AWS_ACCESS_KEY_ID secret IS empty"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With