How can I test if secrets are available in an action?

I’d like an action to run on PRs from the main repo, but not from PRs from forked repos.

Secrets are not passed to workflows that are triggered by a pull request from a fork. As you said , your PRs are within the main repo. Then the secrets could be passed in workflow. 

How do you use secrets in your action? Use secret variables as action input variable value? 

use secrets.png 

If so, you could check your logs , the secrets variable value will be masked with *** . 

secrets.png

If I misunderstanding your scenario, please share your workflow yml content here.  

To clarify, I’d like my CI to run all the jobs and pass when run from the main repo. When someone sends a PR from a forked repo, I’d still like the subset of jobs that don’t require secrets to run and CI still to pass. 

I’ll follow up with a detailed example in the next day or two…

I was able to get it working by testing every step of the job for the existence of the environment variable associated with the secret.  See https://github.com/firebase/firebase-ios-sdk/pull/5180.

It would be nicer if there were away to check for secrets availability at the job level.

@paulb777 I checked your PR, you use secrets as the value of environment variables. You could set the env in job level.  Then the env could be used in your scripts directly. In bash, use it in syntax $var_name

jobs:
  build:
    env:
      key1: ${{secrets.test2}}
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - run: echo $key1
      if: ${{env.key1}} == 'aaa'

You could enable step debug logging, in set up job step, the secrets will be evaluated. 

1 Like

Thanks @yanjingzhu. Setting the secret environment variables at the job level is much cleaner.

I tried several different locations and variations for the if (see the commits in https://github.com/firebase/firebase-ios-sdk/pull/5188), but wasn’t able to find a way to use it to disable the job when the secret environment variables are not available. 

You can only use the env context in the value of the with and name keys, or in a step’s if conditional.

It is not supported to use env in job’s if  conditional. 

And screrts context could not be used in if conditional, neither job’s if  nor  step’s if  .

So, it is not possible to disable a job by identifying secrets . I am afraid that you need to add if contional to each steps.  Sorry for any inconvenience. 

1 Like

This might not be what you’re after, but you can disable individual steps by putting the secret into a job’s env and then using

if: ${{ env.SECRET_KEY != 0 }}
inside each step.

Setting env at the workflow level does not appear to work, so ‘if’ for entire jobs won’t work.