|
16 | 16 | # - Repo SECRET `DOCS_DEPLOY_PAT` = the token value. |
17 | 17 | # |
18 | 18 | # Until `DOCS_DEPLOY_PAT` is set, the dispatch step below is skipped via |
19 | | -# its `if: secrets.DOCS_DEPLOY_PAT != ''` guard — every push to `docs/**` |
20 | | -# shows up as a green run with the dispatch step marked "Skipped", |
21 | | -# instead of red-failing on a missing credential. This stops the |
22 | | -# original anti-pattern (#1339-followup) where the dispatch hard-erred |
23 | | -# and an operator who hasn't done the cutover yet sees a stream of |
24 | | -# confusing failures. |
| 19 | +# a precheck step that reads the secret into `env:` (where `secrets.*` IS |
| 20 | +# allowed), tests for presence in shell, and emits a step output the |
| 21 | +# dispatch step gates on. Every push to `docs/**` shows up as a green |
| 22 | +# run with the dispatch step marked "Skipped", instead of red-failing on |
| 23 | +# a missing credential. This stops the original anti-pattern |
| 24 | +# (#1339-followup) where the dispatch hard-erred and an operator who |
| 25 | +# hasn't done the cutover yet sees a stream of confusing failures. |
| 26 | +# |
| 27 | +# The naive shape (`if: secrets.DOCS_DEPLOY_PAT != ''` on the dispatch |
| 28 | +# step itself) does NOT work: `secrets.*` is unavailable in `if:` at |
| 29 | +# every scope (workflow / job / step) per the GitHub Actions context |
| 30 | +# table, and the parser rejects the workflow file with |
| 31 | +# "Unrecognized named-value: 'secrets'" before any job runs — the run |
| 32 | +# fails red on every push including dependabot branches, defeating the |
| 33 | +# whole point of the guard. |
25 | 34 | # |
26 | 35 | # The deploy shell in sbpp.github.io also has a `workflow_dispatch` |
27 | 36 | # trigger as a manual fallback while the PAT is pending. |
@@ -52,19 +61,33 @@ jobs: |
52 | 61 | permissions: {} |
53 | 62 |
|
54 | 63 | steps: |
| 64 | + # `secrets.*` isn't available in `if:` at any scope, so we can't |
| 65 | + # gate the dispatch step directly on the PAT being configured. |
| 66 | + # Read the secret into the precheck step's `env:` (where |
| 67 | + # `secrets.*` IS allowed), test for presence in shell, and emit |
| 68 | + # a `configured=true|false` step output. The dispatch step then |
| 69 | + # gates on `steps.pat.outputs.configured == 'true'` — `steps.*` |
| 70 | + # IS available in `if:`, so the gate works and the dispatch step |
| 71 | + # cleanly shows as "Skipped" until the secret is set. |
| 72 | + - name: Check whether DOCS_DEPLOY_PAT is configured |
| 73 | + id: pat |
| 74 | + env: |
| 75 | + DOCS_DEPLOY_PAT: ${{ secrets.DOCS_DEPLOY_PAT }} |
| 76 | + run: | |
| 77 | + if [ -n "$DOCS_DEPLOY_PAT" ]; then |
| 78 | + echo "configured=true" >> "$GITHUB_OUTPUT" |
| 79 | + else |
| 80 | + echo "configured=false" >> "$GITHUB_OUTPUT" |
| 81 | + echo "::notice title=docs-deploy-trigger::DOCS_DEPLOY_PAT is unset; skipping repository_dispatch into sbpp.github.io. Configure the secret to enable automatic Pages deploys (the deploy shell still has a manual workflow_dispatch trigger as a fallback)." |
| 82 | + fi |
| 83 | +
|
55 | 84 | # The dispatched workflow in sbpp.github.io listens for |
56 | 85 | # `event_type: docs-changed`. The client_payload carries the |
57 | 86 | # commit SHA and ref so the deploy job can pin its sourcebans-pp |
58 | 87 | # checkout to the exact commit that fired the dispatch (race |
59 | 88 | # guard for back-to-back pushes). |
60 | | - # |
61 | | - # Step-level `if:` evaluates against `secrets.*` (job-level `if:` |
62 | | - # does not), so we gate the dispatch directly on the PAT being |
63 | | - # configured — no separate feature-flag variable needed. When |
64 | | - # `DOCS_DEPLOY_PAT` is unset, the step is skipped and the run is |
65 | | - # green-with-skipped instead of red-failing. |
66 | 89 | - name: Dispatch repository_dispatch into sbpp.github.io |
67 | | - if: secrets.DOCS_DEPLOY_PAT != '' |
| 90 | + if: steps.pat.outputs.configured == 'true' |
68 | 91 | env: |
69 | 92 | GH_TOKEN: ${{ secrets.DOCS_DEPLOY_PAT }} |
70 | 93 | run: | |
|
0 commit comments