How to use github-secret in github action workflow? - github

so I have this code:
name: run-script
on: push
jobs:
run_tests:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout#v2
- name: Run script file
run: |
echo {here should be the secret} > ~/id_rsa
shell: bash
On my git action, where {here should be the secret} I want to put the variable, which is a secret token saved as a repo secret.
How can this be done?
Thank you for your help.

Assuming you have a secret named TOKEN, you can use it like so:
name: run-script
on: push
jobs:
run_tests:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout#v3
- name: Run script file
run: |
echo ${{ secrets.TOKEN }} > ~/id_rsa
shell: bash
Unrelated to how to use secrets, please note that > will override the contents of ~/id_rsa.
Secondly, if you want to do something with your private key (which is my guess based on the filename), the correct file would be in ~/.ssh/id_rsa.
And lastly, note that I have changed the checkout action to v3 as that's the latest available version.

Related

access script stored in .github directory in github action

I have a my_script.sh file in .github/my_script.sh in my repo.
Below is my YAML file:
jobs:
main:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v3
with:
path: master
- name: Set sync script in env
run: |
myscript=$(cat .github/my_script.sh)
echo "::set-env name=MY_SCRIPT::$myscript"
But I got this error:
cat: .github/my_script.sh: No such file
Any clue why?
According to https://github.com/actions/checkout, path is the "relative path under $GITHUB_WORKSPACE to place the repository". Note that does not change the working directory.
This means that using path: master will put your repo in a folder named master. I suspect that you meant to check out the master branch instead. Checkout will automatically checkout the branch the workflow was ran on so most of the time, specifying it specifically is not required.
You either want to remove the path argument or change your code to use the correct path: myscript=$(cat master/.github/my_script.sh)
I think specifying working directory will work.
jobs:
main:
runs-on: ubuntu-latest
defaults:
run:
working-directory: .github
steps:
- uses: actions/checkout#v3
- name: step sync script in env
run: cat my_script.sh
I have checked it and it works.

Conditional job execution for Github actions

I would like to conditionally execute a Github Action according to a previous job (Format).
If the code needed to be formatted, I would like to execute the following job (create_commit), otherwise skip it and do nothing.
Unfortunately at the moment the second job never gets triggered, no matter what is the output of the first job.
My action:
name: Format
on: push
jobs:
format:
name: Code formatting in Black
runs-on: ubuntu-latest
outputs:
trigger_commit: ${{ steps.changes_present.outputs.changes_detected }}
steps:
- name: Checkout repository
uses: actions/checkout#v3
- name: Install package
run: pip install 'black[d]'
- name: Run black formatter
run: black .
- name: Check diff for changes
id: changes_present
run: |
outputs=$(git diff)
if ! [ -z "$outputs" ]
then
echo '::set-output name=changes_detected::true'
fi
create_commit:
runs-on: ubuntu-latest <- Job never executed
needs: format
if: needs.format.outputs.changes_detected == true
steps:
- name: Commit
run: |
git config user.name 'github-actions[bot]'
git config user.email 'github-actions[bot]#users.noreply.github.com'
git commit -am "Files updated after formatting"
git push
The output of the format job is named trigger_commit instead of changes_detected. So try this:
if: needs.format.outputs.trigger_commit == `true`
You could use the actionlint to check this error, an online version is available too. See this link .

How can I cancel a GitHub Actions workflow if the commit has no tag

I have npm publish github actions, I want to run this action if my commit has tag, otherwise I don't want to run my action because of that if I do not add any tag my commit then action is run and failed because it try to publish already publish npm package with same tag. For example with my last commit I have tag 1.2.3 and my npm package was publish with 1.2.3 version. When I add new commit to my branch without any tag actions try to publish my package with 1.2.3 version tag so it failed. Here my actions code below, is there any solution for it.
Thanks for advive.
name: NPM Publish
on:
push:
branches:
- master
tags:
- v*
jobs:
build:
name: Build 🏗 & Publish 🚀
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v1
- uses: actions/setup-node#v2.4.0
with:
node-version: 12
registry-url: https://registry.npmjs.org/
- run: npm install
- run: npm publish --access public
env:
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
I need something like that on yml file
if(git_commit has tag) continue job else stop job;
EDITTED VERSION
I edit my yml file base on #Enrico Campidoglio suggestion but still is does not work. I made two commit first one without tag and it canceled the action but second one has tag it still canceled action. Is there any new suggestion or solution ?
name: NPM Publish
on:
push:
branches:
- master
jobs:
build:
name: Build 🏗 & Publish 🚀
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v1
- uses: actions/setup-node#v2.4.0
with:
node-version: 12
registry-url: https://registry.npmjs.org/
- run: echo "GIT_COMMIT=`echo $(git rev-parse --short HEAD)`" >> $GITHUB_ENV
- run: echo "GIT_TAG=`echo $(git describe --tags --exact-match ${{ env.GIT_COMMIT }} || :)`" >> $GITHUB_ENV
- run: echo ${{ env.GIT_TAG }} != v*
- run: |
if [[ ${{ env.GIT_TAG }} == v* ]] ; then
echo "Tag found..."
else
echo "No git tag found, action cancelled..."
exit 1
fi
- uses: andymckay/cancel-action#0.2
if: ${{ env.GIT_TAG }} != v*
- run: npm install
- run: npm publish --access public
env:
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
there is action result I cannot figure out what is the problem,
here the lastest failed action: https://github.com/sametcelikbicak/enum2array/runs/3513521031?check_suite_focus=true
I found the solution finally after too many tried. I changed my mind and try to run shell script and it works :)
Just add that line in my yml file
- name: Check Git Tag to continue publish
run: ./scripts/publish.sh
and I created a sh file for control the commit tag. You can find the latest script and yml file definitions below
Here is my lastest yml file, npm-publish.yml
name: NPM Publish
on:
push:
branches:
- master
jobs:
build:
name: Build 🏗 & Publish 🚀
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v1
- uses: actions/setup-node#v2.4.0
with:
node-version: 12
registry-url: https://registry.npmjs.org/
- name: Check Git Tag to continue publish
run: ./scripts/publish.sh
- run: npm install
- run: npm publish --access public
env:
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
Here is my script file, publish.sh
#!/usr/bin/env bash
GIT_COMMIT=$(git rev-parse --short HEAD)
GIT_TAG=$(git describe --tags --exact-match $COMMIT || :)
if [[ ${GIT_TAG} == v* ]] ; then
echo "$GIT_TAG Tag found..."
else
echo "No git tag found, action cancelled..."
exit 1
fi
For the time being, there isn't an official action to cancel the current workflow. There is, however, an official GitHub API and a third-party action that invokes it. You could combine it with an if conditional and the github context to achieve what you want:
steps:
- uses: andymckay/cancel-action#0.2
if: startsWith(github.ref, 'refs/tags')
Be aware that cancelling a workflow through the API is an asynchronous operation, which means that later steps might still get executed until the workflow runner handles the request.
A much more solid approach would be to put a condition on your publishing step to only run when the workflow was triggered by a new tag:
steps:
- run: npm publish --access public
if: startsWith(github.ref, 'refs/tags')
env:
NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}

git actions save workflow trigger to variable

I wrote a Github action workflow of which will be triggered only when some specific files were updated:
name: CI
on:
push:
paths:
### If a push was applied on one of these files, the CI workflow is triggered.###
### I want to know which file triggered the CI workflow and save it to a variable s I can use later in the CI steps ###
- 'dwh/helm/values-versions.yaml'
- 'ai/helm/values-versions.yaml'
- 'platform/helm/values-versions.yaml'
jobs:
copy-values-template-to-fluent-bit:
runs-on: self-hosted
container:
image: ghcr.io/***/myImage
credentials:
username: ${{ secrets.GHCR_USER }}
password: ${{ secrets.GHCR_PASS }}
steps:
- uses: actions/checkout#v2
- name: show repo files
run: |
pwd
ls -l
I need a way to figure out which file triggered the CI workflow and save it to a variable.
You can use this action Get All Changed Files:
- id: files
uses: jitterbit/get-changed-files#v1
- run: |
for changed_file in ${{ steps.files.outputs.all }}; do
echo "Do something with this ${changed_file} to check if this is you file and set variable."
done

GitHub Action - Unable to add "if" condition in steps

I'm using composite GitHub actions, where I want to check the current branch name in composite action's some steps and make the decision on that condition.
e.g.
name: main
on:
push:
repository_dispatch:
types:
- manual-trigger
jobs:
build:
runs-on: windows-latest
steps:
- name: Checkout project
uses: actions/checkout#v2
- name: Fetch full project
run: git fetch --prune --unshallow
- name: Restore packages
run: nuget restore -ConfigFile "../Build/Nuget.config"
working-directory: Projects
env:
# ARTIFACTORY_PASSWORD is read by the nuget.config credentials section
ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
- name: Composite Action - To build solution and execute SonarScanner
uses: ./Build/build-and-sonarscanner-execution
Where in Composite action - I do have a check that Sonar-Scanner should execute only for develop branch, else only project build will gets execute.
name: build-and-sonarscanner-execution
description: "Build the solution using msbuild and SonarScanner execution"
inputs:
# Set of parameters
runs:
using: "composite"
steps:
- name: Restore packages
run: nuget restore -ConfigFile "../Build/Nuget.config"
working-directory: ${{ inputs.solution-directory }}
env:
# ARTIFACTORY_PASSWORD is read by the nuget.config credentials section
ARTIFACTORY_PASSWORD: ${{ inputs.artifactory-password }}
shell: pwsh
- name: Install dotnet-sonarscanner package
if: {{ github.ref == 'ref/head/develop' }} This is the line where it is throwing syntax error as 'if' is not allowed under steps
run: dotnet tool install --global dotnet-sonarscanner --version 4.10.0
shell: pwsh
Here and here are the references I have looked for before applying this if condition here. And that works totally fine if I apply that main.yml, but in composite action yaml file that's not working.
Can someone please share that what am I missing in here?
The above syntax if: ${{ ... }} should be fine but it seems that the composite actions do not support conditions yet: https://github.com/actions/runner/blob/main/docs/adrs/0549-composite-run-steps.md
The workaround that Benjamin proposed is working for me:
run: |
if [[ "${{inputs.myVar}}" != "" ]]; then
aws ...
fi
exit 0
shell: bash
Try the below syntax:
if: ${{ github.ref == 'refs/heads/xxxx' }}