Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document how to use secrets with if: conditionals in GitHub Actions workflows #12722

Merged
merged 8 commits into from
Mar 18, 2022
Merged

Document how to use secrets with if: conditionals in GitHub Actions workflows #12722

merged 8 commits into from
Mar 18, 2022

Conversation

br3ndonland
Copy link
Contributor

@br3ndonland br3ndonland commented Dec 7, 2021
edited
Loading

Why:

Closes #6861

Users have requested documentation on how to use secrets with if: conditionals, especially how to skip a GitHub Actions workflow step if a secret isn't present.

This PR is based on the helpful guidance provided in #6861 (comment).

Related to this, as far as I know, the docs don't mention the default return value for an expression referencing an unset secret. Based on trial and error, the return value of ${{ secrets.SECRET_IS_NOT_SET }} appears to be an empty string. I've been digging around actions/runner to try to find where this default value is set, but I'm not sure. Maybe in SecretUtility.cs?

What's being changed:

Check off the following:

  • I have reviewed my changes in staging (look for "Automatically generated comment" and click Modified to view your latest changes).
  • For content changes, I have completed the self-review checklist.

Writer impact (This section is for GitHub staff members only):

  • This pull request impacts the contribution experience
    • I have added the 'writer impact' label
    • I have added a description and/or a video demo of the changes below (e.g. a "before and after video")

@welcome
Copy link

welcome bot commented Dec 7, 2021

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Dec 7, 2021
@github-actions
Copy link
Contributor

github-actions bot commented Dec 7, 2021
edited
Loading

Automatically generated comment ℹ️

This comment is automatically generated and will be overwritten every time changes are committed to this branch.

The table contains an overview of files in the content directory that have been changed in this pull request. It's provided to make it easy to review your changes on the staging site. Please note that changes to the data directory will not show up in this table.

Content directory changes

You may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.

Source Preview Production What Changed
content/actions/security-guides/encrypted-secrets.md Modified Original
content/actions/using-workflows/workflow-syntax-for-github-actions.md Modified Original

@github-actions github-actions bot temporarily deployed to docs-12722--if-secrets December 7, 2021 22:57 Inactive
@ramyaparimi ramyaparimi added actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team waiting for review Issue/PR is waiting for a writer's review and removed triage Do not begin working on this issue until triaged by the team labels Dec 8, 2021
@ramyaparimi
Copy link
Contributor

@br3ndonland
Thanks so much for opening a PR! I'll get this triaged for review ⚡

@Dorota1661

This comment has been minimized.

Sign in to view
@Dorota1661

This comment has been minimized.

Sign in to view
@Awan27091987

This comment has been minimized.

Sign in to view
@Dorota1661

This comment has been minimized.

Sign in to view
@Dorota1661

This comment has been minimized.

Sign in to view
@skedwards88
Copy link
Contributor

@br3ndonland Thank you for this addition! I think this info will be super helpful to users. I don't have permissions to edit your PR to resolve the merge conflict. The file has been renamed to content/actions/using-workflows/workflow-syntax-for-github-actions.md, so if you move your addition to that file, I think that should resolve the conflict. Once you resolve the conflict, we'll get this reviewed and merged for you.

@skedwards88 skedwards88 added more-information-needed More information is needed to complete review triage Do not begin working on this issue until triaged by the team and removed waiting for review Issue/PR is waiting for a writer's review labels Jan 27, 2022
@ramyaparimi ramyaparimi removed the triage Do not begin working on this issue until triaged by the team label Jan 27, 2022
@skedwards88 skedwards88 added waiting for review Issue/PR is waiting for a writer's review and removed more-information-needed More information is needed to complete review labels Jan 31, 2022
br3ndonland and others added 5 commits March 14, 2022 23:36
@br3ndonland
🔒 Document how to use secrets with if:
fd1b62e 
#6861
#12722

- Add a complete workflow example to `jobs.<job_id>.steps[*].if`,
  demonstrating how to skip a step if a secret is not present
- Add an explanation to "Using encrypted secrets in a workflow"
- Cross-reference the two pages
@br3ndonland
🔒 Compare secrets with empty strings in if:
0ea4ebd 
#6861
#12722 (comment)

Rather than referencing two secrets:

1. `${{ secrets.SECRET_IS_SET }}`
2. `${{ secrets.SECRET_IS_NOT_SET }}`)

This commit will update the related section of the docs to reference a
single secret (`${{ secrets.SECRET_IS_SET }}`), and will update the
`if:` conditionals to compare with empty strings as suggested.
@br3ndonland
🔒 Add missing {% raw %}/{% endraw %}
e8b1ecf 
#6861
#12722

Some `${{ }}` values were converted to `$` in the preview environment.
Adding `{% raw %}`/`{% endraw %}` will preserve the raw value.
@br3ndonland
🔒 Match variable and secret names in examples
f1b6359 
#6861
#12722 (comment)

This PR adds an example of how to use secrets with `if:` conditionals.
The reviewer suggested comparing variable values with empty strings to
make the `if:` conditionals clearer.

Commit cecdf00 updated the secret names accordingly, but the names of
the secret and environment variable may still have been confusing.

This commit will update the secret and environment variable names to
match the cross-referenced example on the "Encrypted secrets" page.
@hubwriter
Merge branch 'main' into if-secrets
43ef716
hubwriter
hubwriter approved these changes Mar 17, 2022
View reviewed changes
Copy link
Contributor

@hubwriter hubwriter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@br3ndonland - This looks great. Thanks for making this change.

The example is really good. I'm sure this will help a lot of people. 👍

I'll get this merged/published.

@hubwriter hubwriter enabled auto-merge (squash) March 17, 2022 10:35
@ramyaparimi ramyaparimi added the ready to merge This pull request is ready to merge label Mar 17, 2022
@hubwriter hubwriter merged commit 06cf952 into github:main Mar 18, 2022
@github-actions
Copy link
Contributor

Thanks very much for contributing! Your pull request has been merged 🎉 You should see your changes appear on the site in approximately 24 hours. If you're looking for your next contribution, check out our help wanted issues

@br3ndonland br3ndonland deleted the if-secrets branch March 21, 2022 15:04
@m-kuhn
Copy link

m-kuhn commented Jul 1, 2022

I think this would deserve a hint on the implication that the secret is leaked to every step within the job, regardless if it's required for a certain step or not (hence violating the principle of least privilege).

@cmwilson21
Copy link
Contributor

Hey @m-kuhn 👋 - Since this PR has already been merged and issue closed, could you create a new issue with your suggestions? Then we can triage it for team review. ⚡

Thanks for your interest in improving our docs! 💖

@m-kuhn m-kuhn mentioned this pull request Jul 8, 2022
Closed
@mongoloidkhulmikuki366385 mongoloidkhulmikuki366385 mentioned this pull request May 13, 2024
Open
@satoshinakamoto007 satoshinakamoto007 mentioned this pull request May 13, 2024
Open
@RanaAhmed2020 RanaAhmed2020 mentioned this pull request May 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ethomson ethomson ethomson left review comments

@hubwriter hubwriter hubwriter approved these changes

Assignees
No one assigned
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team ready to merge This pull request is ready to merge waiting for review Issue/PR is waiting for a writer's review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Document how to skip a step if a secret isn't present
9 participants
@br3ndonland @ramyaparimi @Dorota1661 @Awan27091987 @skedwards88 @m-kuhn @cmwilson21 @ethomson @hubwriter