Skip to content

Commit a3b46b9

Browse files
authored
ci(docs): fix docs-deploy-trigger validation rejecting secrets.* in if: (sbpp#1350)
sbpp#1347's skip-when-unconfigured guard used `if: secrets.DOCS_DEPLOY_PAT != ''` on the dispatch step. `secrets.*` isn't available in `if:` at any scope (workflow / job / step) per the Actions context-availability table — the parser rejects the file with "Unrecognized named-value: 'secrets'" before any job runs, so every push records a red workflow-file-issue run with no jobs (visible on the sbpp#1346 dependabot push, run 25652463088). Exactly the failure mode the guard was meant to prevent. Fix: read the secret into a precheck step's `env:` (where `secrets.*` IS allowed), shell-test for presence, emit a `configured=true|false` step output, gate the dispatch step on `steps.pat.outputs.configured == 'true'` (`steps.*` IS available in step `if:`). Operator-facing UX unchanged — dispatch step still shows as Skipped until the PAT is set, run is green. Both the file-level comment block and the inline step comment now spell out the actual context-availability rule so a future reader doesn't reach for the same broken shape.
1 parent bb417e5 commit a3b46b9

1 file changed

Lines changed: 36 additions & 13 deletions

File tree

.github/workflows/docs-deploy-trigger.yml

Lines changed: 36 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -16,12 +16,21 @@
1616
# - Repo SECRET `DOCS_DEPLOY_PAT` = the token value.
1717
#
1818
# Until `DOCS_DEPLOY_PAT` is set, the dispatch step below is skipped via
19-
# its `if: secrets.DOCS_DEPLOY_PAT != ''` guard — every push to `docs/**`
20-
# shows up as a green run with the dispatch step marked "Skipped",
21-
# instead of red-failing on a missing credential. This stops the
22-
# original anti-pattern (#1339-followup) where the dispatch hard-erred
23-
# and an operator who hasn't done the cutover yet sees a stream of
24-
# confusing failures.
19+
# a precheck step that reads the secret into `env:` (where `secrets.*` IS
20+
# allowed), tests for presence in shell, and emits a step output the
21+
# dispatch step gates on. Every push to `docs/**` shows up as a green
22+
# run with the dispatch step marked "Skipped", instead of red-failing on
23+
# a missing credential. This stops the original anti-pattern
24+
# (#1339-followup) where the dispatch hard-erred and an operator who
25+
# hasn't done the cutover yet sees a stream of confusing failures.
26+
#
27+
# The naive shape (`if: secrets.DOCS_DEPLOY_PAT != ''` on the dispatch
28+
# step itself) does NOT work: `secrets.*` is unavailable in `if:` at
29+
# every scope (workflow / job / step) per the GitHub Actions context
30+
# table, and the parser rejects the workflow file with
31+
# "Unrecognized named-value: 'secrets'" before any job runs — the run
32+
# fails red on every push including dependabot branches, defeating the
33+
# whole point of the guard.
2534
#
2635
# The deploy shell in sbpp.github.io also has a `workflow_dispatch`
2736
# trigger as a manual fallback while the PAT is pending.
@@ -52,19 +61,33 @@ jobs:
5261
permissions: {}
5362

5463
steps:
64+
# `secrets.*` isn't available in `if:` at any scope, so we can't
65+
# gate the dispatch step directly on the PAT being configured.
66+
# Read the secret into the precheck step's `env:` (where
67+
# `secrets.*` IS allowed), test for presence in shell, and emit
68+
# a `configured=true|false` step output. The dispatch step then
69+
# gates on `steps.pat.outputs.configured == 'true'` — `steps.*`
70+
# IS available in `if:`, so the gate works and the dispatch step
71+
# cleanly shows as "Skipped" until the secret is set.
72+
- name: Check whether DOCS_DEPLOY_PAT is configured
73+
id: pat
74+
env:
75+
DOCS_DEPLOY_PAT: ${{ secrets.DOCS_DEPLOY_PAT }}
76+
run: |
77+
if [ -n "$DOCS_DEPLOY_PAT" ]; then
78+
echo "configured=true" >> "$GITHUB_OUTPUT"
79+
else
80+
echo "configured=false" >> "$GITHUB_OUTPUT"
81+
echo "::notice title=docs-deploy-trigger::DOCS_DEPLOY_PAT is unset; skipping repository_dispatch into sbpp.github.io. Configure the secret to enable automatic Pages deploys (the deploy shell still has a manual workflow_dispatch trigger as a fallback)."
82+
fi
83+
5584
# The dispatched workflow in sbpp.github.io listens for
5685
# `event_type: docs-changed`. The client_payload carries the
5786
# commit SHA and ref so the deploy job can pin its sourcebans-pp
5887
# checkout to the exact commit that fired the dispatch (race
5988
# guard for back-to-back pushes).
60-
#
61-
# Step-level `if:` evaluates against `secrets.*` (job-level `if:`
62-
# does not), so we gate the dispatch directly on the PAT being
63-
# configured — no separate feature-flag variable needed. When
64-
# `DOCS_DEPLOY_PAT` is unset, the step is skipped and the run is
65-
# green-with-skipped instead of red-failing.
6689
- name: Dispatch repository_dispatch into sbpp.github.io
67-
if: secrets.DOCS_DEPLOY_PAT != ''
90+
if: steps.pat.outputs.configured == 'true'
6891
env:
6992
GH_TOKEN: ${{ secrets.DOCS_DEPLOY_PAT }}
7093
run: |

0 commit comments

Comments
 (0)