Use different input parameter based on a condition

I am trying to run deploy action for my staging and production, and I’d like to use different SSH keys which are added as GH secret, based on which branch I’m on.

So I added a ‘stage check’ step before my other steps in the deployment process that looks like this

    steps:
      - name: Stage check
        id: current_stage
        run: |
          if [ ${{ github.ref == 'refs/heads/main' }} ]; then
            echo "::set-output name=STAGE::production"
            echo "::set-output name=SSH_KEY::${{ secrets.PRODUCTION_KEY }}"
          elif [ ${{ github.ref == 'refs/heads/staging' }} ]; then
            echo "::set-output name=STAGE::staging"
            echo "::set-output name=SSH_KEY::${{ secrets.STAGING_KEY }}"
          fi

In my other steps, I can now get access to

${{ steps.current_stage.outputs.SSH_KEY }}

and

${{ steps.current_stage.outputs.STAGE }}

I now have

      - name: Add SSH key
        uses: webfactory/ssh-agent@v0.5.2
        with:
            ssh-private-key: ${{ steps.current_stage.outputs.SSH_KEY }}

But this seems to fail. Not 100% sure why, but my hunch is that the output cannot see the encrypted secret content, so when it’s being used in the parameter ssh-private-key, it’s not passed as a decrypted value and then I get a failure.

So what I’m wondering if it’s possible to do, in one step, to have something like

      - name: Add SSH key
        uses: webfactory/ssh-agent@v0.5.2
        if: ${{ github.ref == 'refs/heads/main' }}
        with:
            ssh-private-key: ${{ secrets.PRODUCTION_KEY }}
        if: ${{ github.ref == 'refs/heads/staging' }}
        with:
            ssh-private-key: ${{ secrets.STAGING_KEY }}

So that my input argument to the webfactory/ssh-agent action is different based on that condition?

I see two issues here:

  1. The conditionals in your current_stage step are mixing Bash and GitHub Actions syntax, and the result of that is probably not what you want (both are always true, so you always get the production path because it’s checked first). You should use Actions syntax (the ${{ ... }} part) only to substitute the github.ref and Bash for the rest:
        run: |
          if [ ${{ github.ref }} = "refs/heads/main" ]; then
            echo "::set-output name=STAGE::production"
            echo "::set-output name=SSH_KEY::${{ secrets.PRODUCTION_KEY }}"
          elif [ ${{ github.ref }} = "refs/heads/staging" ]; then
            echo "::set-output name=STAGE::staging"
            echo "::set-output name=SSH_KEY::${{ secrets.STAGING_KEY }}"
          fi
  1. The OpenSSH private keys I know are multi-line files. Running that through the output without URL encoding (so there are no newlines) will mess them up. The easiest solution is probably to replace all newlines with %0A in the secrets.
1 Like

Yeah, I got the production stage all the time. I’ve fixed this, but the key one was tricky, so I separated this to 4 steps, all of them have the if: ${{ github.ref == 'refs/heads/staging' }} checks which work.

Thanks for the help!

1 Like