How can I test if secrets are available in an action?

I’d like an action to run on PRs from the main repo, but not from PRs from forked repos.

Secrets are not passed to workflows that are triggered by a pull request from a fork. As you said , your PRs are within the main repo. Then the secrets could be passed in workflow. 

How do you use secrets in your action? Use secret variables as action input variable value? 

use secrets.png 

If so, you could check your logs , the secrets variable value will be masked with *** . 


If I misunderstanding your scenario, please share your workflow yml content here.  

To clarify, I’d like my CI to run all the jobs and pass when run from the main repo. When someone sends a PR from a forked repo, I’d still like the subset of jobs that don’t require secrets to run and CI still to pass. 

I’ll follow up with a detailed example in the next day or two…

1 Like

I was able to get it working by testing every step of the job for the existence of the environment variable associated with the secret.  See

It would be nicer if there were away to check for secrets availability at the job level.

@paulb777 I checked your PR, you use secrets as the value of environment variables. You could set the env in job level.  Then the env could be used in your scripts directly. In bash, use it in syntax $var_name

      key1: ${{secrets.test2}}
    runs-on: ubuntu-latest

    - uses: actions/checkout@v2
    - run: echo $key1
      if: ${{env.key1}} == 'aaa'

You could enable step debug logging, in set up job step, the secrets will be evaluated. 

1 Like

Thanks @yanjingzhu. Setting the secret environment variables at the job level is much cleaner.

I tried several different locations and variations for the if (see the commits in, but wasn’t able to find a way to use it to disable the job when the secret environment variables are not available. 

You can only use the env context in the value of the with and name keys, or in a step’s if conditional.

It is not supported to use env in job’s if  conditional. 

And screrts context could not be used in if conditional, neither job’s if  nor  step’s if  .

So, it is not possible to disable a job by identifying secrets . I am afraid that you need to add if contional to each steps.  Sorry for any inconvenience. 

1 Like

This might not be what you’re after, but you can disable individual steps by putting the secret into a job’s env and then using

if: ${{ env.SECRET_KEY != 0 }}
inside each step.

Setting env at the workflow level does not appear to work, so ‘if’ for entire jobs won’t work.

1 Like

You can make an entire job optional based on the presence of a secret if you had a previous job that set a job output:

1 Like

Thanks jonico, I’ve created a more specific example here:

You can see it in action here:

This did the trick for me:

- name: Clean local maven repository
    CLEAN_MVN_REPO: ${{ secrets.CLEAN_MVN_REPO }}
  if: env.CLEAN_MVN_REPO != null
  run: rm -r ~/.m2/repository/*

If the secret called CLEAN_MVN_REPO doesn’t exist,
this step isn’t executed.

1 Like

It may be a little cheeky but this is what I did at my org. I run a job before my main CI job that checks if all my secrets are in place. It normally does other things too but I took that out for the example below.



    name: "Preflight Checks"
    runs-on: ubuntu-latest

    - name: Assert Secrets Present
      shell: bash
      run: |
        MD5() {
          result=($(md5sum <(echo "${1}")))
          echo $result

        secretPresent() {
          emptyHash=$(MD5 "")
          secretHash=$(MD5 "${1}")
          ! diff <(echo $secretHash) <(echo $emptyHash) &> /dev/null

        errorMessage() {
          echo "Your secret ${1} seems to be missing please contact the Central-OPs team"
          return 1


        secretPresent "${{ secrets.GIT_TOKEN }}" || errorMessage "GIT_TOKEN" || secretStatus=1
        secretPresent "${{ secrets.AWD_KEY }}" || errorMessage "AWS_KEY" || secretStatus=2
        secretPresent "${{ secrets.THING_URL }}" || errorMessage "THING_URL" || secretStatus=3
        secretPresent "${{ secrets.THING_USER_TOKEN }}" || errorMessage "THING_USER_TOKEN" || secretStatus=4
        secretPresent "${{ secrets.CHEESE }}" || errorMessage "CHEESE" || secretStatus=5

        exit $secretStatus

    - run: echo "Everything Checks Out 👍"

    needs: preFlight
    name: "Build and Push to Registry"
    runs-on: ubuntu-latest
    - name: Checkout Code Base
      uses: actions/checkout@v2


That said I also really like the solution by tomerfi.