Commit 0a1ba7f
authored
fix(ci): move secret-scanner Cargo.toml gate from job-level if: to step-level (#20)
`secret-scanner.yml` has had 0 successful runs since creation across all
estate consumers — every run completes in 0 seconds with
`conclusion=failure` and zero jobs spawned (GitHub Actions
startup_failure). YAML is syntactically valid; both action SHAs exist;
`gh workflow view` returns the file cleanly.
## Root cause
The `rust-secrets` job has a job-level `if:` clause:
```yaml
rust-secrets:
runs-on: ubuntu-latest
if: hashFiles('**/Cargo.toml') != ''
```
GitHub Actions does not support `hashFiles()` in **job-level** `if:`
conditions. The docs say `hashFiles` is "available in the runtime
environment when steps are running" — i.e. step-level only. At
job-eligibility time the expression evaluator rejects the workflow, no
jobs are scheduled, the run is marked as a failed startup. Wrapping in
${{ }} makes no difference.
## Fix
Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and
adds a step-level guard at the top of the existing run block:
```bash
if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then
echo "No Cargo.toml found — skipping Rust secrets check"
exit 0
fi
```
Same semantics (skip when no `Cargo.toml`), but at a context where the
expression works.
After this fix, the Secret Scanner workflow actually runs trufflehog +
gitleaks + (conditionally) rust-secrets as designed.1 parent 0a01ad3 commit 0a1ba7f
1 file changed
Lines changed: 4 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
40 | 40 | | |
41 | 41 | | |
42 | 42 | | |
43 | | - | |
44 | 43 | | |
45 | 44 | | |
46 | 45 | | |
47 | 46 | | |
48 | 47 | | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
49 | 52 | | |
50 | 53 | | |
51 | 54 | | |
| |||
0 commit comments