Keyword secrets is not working in github actions workflow - github

Workflow that call reusable one:
name: Build only workflow
on:
pull_request:
branches:
- master
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v3
- uses: ./.github/workflows/build_job
with:
TARGET: lol
secrets: inherit
./.github/workflows/build_job folder contain action.yml file:
name: Build job
on:
workflow_call:
inputs:
TARGET:
required: true
type: string
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: webfactory/ssh-agent#v0.5.4
with:
ssh-private-key: ${{secrets.SSH_KEY}}
- run: echo "hello"
Error: The workflow is not valid. .github/workflows/build_workflow.yml (Line: 16, Col: 9): Unexpected value 'secrets'

You're including the reusable workflow as a step, but a reusable workflow is an entire job not just a step.
Therefore, what you need is:
jobs:
my-job:
uses: ./.github/workflows/my-reusable-workflow.yaml
And then, since you can't do the checkout from outside anymore, you're going to have to add the checkout to your reusable workflow.
Also see this other answer of mine on the distinction between composite actions and reusable workflows.

Related

Github action runs on pr unexpectedly

I have this deveopment.yml in .github/workflows:
name: Development
on:
push:
branches:
- dev
paths-ignore:
- '**.md'
jobs:
test:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- name: "Checkout code"
uses: actions/checkout#v2
- name: "Test Suite"
uses: ./.github/actions/test_suite
lint:
[...lint stuff]
db_migrate:
[...db migrate stuff]
[etc]
[etc]
I would expect this workflow to only fire when I push to the branch named dev
I also have a pull_request.yml workflow. It's similar:
on:
pull_request:
branches:
- '*'
paths-ignore:
- '**.md'
jobs:
test:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- name: "Checkout code"
uses: actions/checkout#v2
- name: "Test Suite"
uses: ./.github/actions/test_suite
lint:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- name: "Checkout code"
uses: actions/checkout#v2
- name: "Lint Suite"
uses: ./.github/actions/linting
I would expect this to run on any pull request to any branch, before it merges.
So far so good. If I make a PR from a feature branch into dev, it runs test and lint. When I merge, it runs the development.yml actions like db_migrate.
My question is why when I make a PR of dev into prod, it seems to run the development.yml actions. As soon as the PR is opened, it runs db_migrate. Why is that, and how do I make it not do that?
There is a production.yml but that's set to on release, so I don't think that's relevant here
on:
release:
types: [published]
paths-ignore:
- '**.md'
I've been staring at the docs but I'm having a slow brain morning. It's a little tricky to debug this because it's tightly coupled to github and two important branches.

GitHub Actions Reuse Workflow Definitions

I have a project where I have two GitHub actions yml file where the first file is called build.yml and it contains instructions to compile, build and test the project. It is as simple as this:
name: build my-project
on:
push:
paths-ignore:
- 'images/**'
- README.md
branches:
- master
pull_request:
branches:
- master
release:
types: [ created ]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: cache ivy2
uses: actions/cache#v1
with:
path: ~/.ivy2/cache
key: ${{ runner.os }}-sbt-ivy-cache-${{ hashFiles('**/*.sbt') }}-${{ hashFiles('project/build.properties') }}
- name: sbt Test
run: sbt clean test
I now have another yml file that contains the instructions to do a release based on annotated tags. It is like this:
name: release my-project
on:
push:
# Sequence of patterns matched against refs/tags
tags:
- 'v[0-9]+.[0-9]+.[0-9]+-[a-zA-Z]*'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
build:
uses: ./.github/workflows/build.yml
publish:
runs-on: ubuntu-latest
needs: test # See build.yml file where the test job is defined
# If there is a tag and if that tag comes from master branch
if: startsWith(github.ref, 'refs/tags/v')
steps:
- name: checkout
uses: actions/checkout#v3
- name: capture changelog
id: changelog
uses: metcalfc/changelog-generator#v4.0.1
with:
myToken: ${{ secrets.GITHUB_TOKEN }}
- name: sbt ci-publish-github
run: sbt publish
- name: ci-release-github
id: create-release
uses: actions/create-release#latest
with:
allowUpdates: true
tag_name: ${{ github.ref }}
release_name: Release ${{ github.ref }}
body: |
## What's Changed
${{ steps.changelog.outputs.changelog }}
draft: false
prerelease: false
I just created an annotated tag which then resulted in an error like this:
Invalid workflow file: .github/workflows/publish.yml#L14
error parsing called workflow "./.github/workflows/build.yml": workflow is not reusable as it is missing a `on.workflow_call` trigger
So basically what I want is, when I push an annotated tag, I want to first run the test job from build.yml and then once that succeeds, I would like to run the publish job. Any suggestions on how to get this straight?
So basically what I want is, when I push an annotated tag, I want to first run the test job from build.yml and then once that succeeds, I would like to run the publish job. Any suggestions on how to get this straight?
You almost got it right with your implementation. You just need a few modifications:
The build job needs to depends on the publish job:
name: release my-project
on:
push:
# Sequence of patterns matched against refs/tags
tags:
- 'v[0-9]+.[0-9]+.[0-9]+-[a-zA-Z]*'
jobs:
publish:
[ ... ]
build:
needs:
- publish
uses: ./.github/workflows/build.yml
The build needs the workflow_call trigger (as stated by the error message - Reference):
on:
workflow_call:
push:
[ ... ]
Note: You could even share the tag value from the previous workflow, sending it as input to the second one by using:
on:
workflow_call:
inputs:
tag:
required: true
type: string
Calling the reusable workflow that way from the main workflow:
build:
needs:
- publish
uses: ./.github/workflows/build.yml
with:
tag: 'MY TAG'
I was able to fix it by adding the following in my publish.yml:
jobs:
tests:
uses: ./.github/workflows/build.yml
publish:
runs-on: ubuntu-latest
needs: [tests] # See build.yml file where the test job is defined
In my build.yml, I had to add the following:
on:
push:
paths-ignore:
- 'images/**'
- README.md
branches:
- master
pull_request:
branches:
- master
release:
types: [ created ]
workflow_call:
Notice that workflow_call: entry that needs to be added explicitly.

How do i run GithHub actions .yaml files in certain order?

I have two .yaml files for my GitHub actions. I need the second file to be executed only after first. How can I achieve this if the jobs are both in other files?
You could use the workflow_run syntax for Github Actions workflows.
In the example below, a workflow with the following trigger will only run when the workflow named Workflow Tester is completed (you could also started them in sequence using the requested type).
on:
workflow_run:
workflows: ["Workflow Tester"]
types: [completed] #requested
Note that when using the trigger that way (with the completed type) you can also check the previous workflow, and perform different jobs depending on the workflow conclusion.
Example
jobs:
on-success:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
steps:
[...]
on-failure:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'failure' }}
steps:
[...]
I've tested this syntax in this workflow if you want to have a look and check the workflow runs in the repo Actions tab.
There is a feature called Reusing Workflows which can be used.
Example:
workflow1.yaml
name: Job1
on:
workflow_call:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Run a one-line script
run: echo Job1 Executed!
workflow2.yaml
name: Job2
on:
workflow_call:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Run a one-line script
run: echo Job2 Executed!
demo1.yaml(Calling Workflow)
name: Demo1
on:
push:
branches: [ "main" ]
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v3
call-workflow1:
uses: ./.github/workflows/workflow1.yaml
call-workflow2:
if: ${{ always() }} #This will make your workflow2 executed even if workflow1 fails, remove this, if you want to run this only on success of workflow1
needs: call-workflow1
uses: ./.github/workflows/workflow2.yaml
Sample
Reference -
Job Link
Repo

How to access files checked out by another workflow in GitHub Actions?

Can I access the files that are checked out or generated by a caller/called workflow?
I want to have a separate setup.yml workflow that checks out the repository code and then reuse that workflow in other workflows.
Here is an example called workflow file (setup.yml):
name: Set the project up
on: workflow_call
jobs:
setup:
name: Set the project up
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout#v3
- name: Set up Node
uses: actions/setup-node#v3
with:
node-version: '16'
Here is the caller workflow file (ci.yml):
name: CI
on:
push:
branches:
- main
jobs:
setup:
uses: ./.github/workflows/setup.yml
test-the-project:
needs: setup
uses: ./.github/workflows/test.yml

Github Action triggered by success of a different action

I am trying to trigger a Github action to run after a successful run of a different action.
the 2 workflows are:
Unit Test Action (Which runs first, and should trigger the Follow on Test action below
name: unit-tests
on:
push:
branches:
- '**'
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout#v2
- name: Setup .NET Core
uses: actions/setup-dotnet#v1
with:
dotnet-version: "3.1.x"
- name: Test
run: dotnet test src/XXXXXXXXXX
Follow on Test Action (This is just a test action)
name: Test action triggered by previous action success
on:
workflow_run:
workflows:
- unit-tests
types:
- completed
jobs:
test-job:
name: Test Step
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
with:
ref: ${{ github.event.workflow_run.head_branch }}
- run: echo "The follow on works!!"
The issue is that when this is triggered on a feature branch and not the default branch (as it should be because I want the actions to run all all branches) it doest work?
Any ideas?
As discussed in the comments:
First: It is necessary to have both workflows on the branch and to first merge the branch into your default branch, then onwards it will work.
Second: It is possible to use if: ${{ github.event.workflow_run.conclusion == 'success' }} to only run the jobs if the previous workflow was successful.
Example:
on:
workflow_run:
workflows: ["Other Workflow Name"]
types: [completed] #requested
jobs:
on-success:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
steps:
- run: echo "First workflow was a success"
on-failure:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'failure' }}
steps:
- run: echo "First workflow was a failure"