如何在 if 条件 Github Actions 中检查秘密变量是否为空

Question

语境

我想在执行作业之前检查我的工作流程是否存在秘密。

像这样的东西：

publish:
    runs-on: ubuntu-latest
    if: secrets.AWS_ACCESS_KEY_ID != ''
    steps:
      [ ... ]

但是，在使用此表达式时，我遇到了这样的错误：

The workflow is not valid. .github/workflows/release.yml (Line: 11, Col: 9): Unrecognized named-value: 'secrets'...

我尝试过的

我尝试用另一种方式写这个表达式：

if: ${{ secrets.AWS_ACCESS_KEY_ID != '' }}

if: ${{ secrets.AWS_ACCESS_KEY_ID }} != ''

问题

如何在 Github Actions 工作流程中实现我想要的目标？

Answer 1

Github Action 解释器当前无法识别secrets在if条件表达式中使用的关键字。因此，您不能secrets.VARIABLE在那里使用该语法。

相反，使用环境来携带秘密检查的结果，然后使用if非秘密结果的条件。

作业.步骤示例：

job:
  runs-on: ubuntu-latest
  steps:
    - name: Check for Secret availability
      id: secret-check
      # perform secret check & put boolean result as an output
      shell: bash
      run: |
        if [ "${{ secrets.MY_KEY }}" != '' ]; then
          echo "available=true" >> $GITHUB_OUTPUT;
        else
          echo "available=false" >> $GITHUB_OUTPUT;
        fi

    - name: Check Inadequate Permissions
      if: ${{ steps.secret-check.outputs.available != 'true' }}
      # provide feedback for likely problem, note dependabot cannot access
      # secrets by default. Secondly, this step forces job failure due to
      # missing secret via `exit 1`
      shell: bash
      run: |
        if [ "${{ github.actor }}" == "dependabot[bot]" ]; then
          echo >&2 "Unable to access secrets as unprivileged dependabot.";
        else
          echo >&2 "Inadequate Permissions or missing secret value";
        fi
        exit 1

    - name: Execute Step requiring secret
      # If you didn't abort step above, then use this conditional
      # if: ${{ steps.secret-check.outputs.available == 'true' }}
      shell: bash
      # Key will be blocked out in log output but will be not empty
      run: |
        echo "This command is executed with non-empty key: \
          ${{ secrets.MY_KEY }}"

如果您需要在作业级别执行此操作，请创建一个单独的check-secret作业来验证机密，然后将结果共享为定义的输出。

工作流程上下文级别示例：

jobs:

  check-secret:
    runs-on: ubuntu-latest
    outputs:
      my-key-exists: ${{ steps.my-key-check.outputs.defined }}
    steps:
      - name: Check for Secret availability
        id: my-key-check
        # perform secret check & put boolean result as an output
        shell: bash
        run: |
          if [ "${{ secrets.AWS_ACCESS_KEY_ID }}" != '' ]; then
            echo "defined=true" >> $GITHUB_OUTPUT;
          else
            echo "defined=false" >> $GITHUB_OUTPUT;
          fi

  job1:
    runs-on: ubuntu-latest
    needs: [check-secret]
    if: needs.check-secret.outputs.my-key-exists == 'true'
    steps:
      - run: echo "This command is executed if AWS_ACCESS_KEY_ID secret IS NOT empty"

  job2:
    runs-on: ubuntu-latest
    needs: [check-secret]
    if: needs.check-secret.outputs.my-key-exists != 'true'
    steps:
      - run: echo "This command is executed if AWS_ACCESS_KEY_ID secret IS empty"