Document how to use secrets with if: conditionals in GitHub Actions…

… workflows (#12722) * 🔒 Document how to use secrets with `if:` #6861 #12722 - Add a complete workflow example to `jobs.<job_id>.steps[*].if`, demonstrating how to skip a step if a secret is not present - Add an explanation to "Using encrypted secrets in a workflow" - Cross-reference the two pages * 🔒 Compare secrets with empty strings in `if:` #6861 #12722 (comment) Rather than referencing two secrets: 1. `${{ secrets.SECRET_IS_SET }}` 2. `${{ secrets.SECRET_IS_NOT_SET }}`) This commit will update the related section of the docs to reference a single secret (`${{ secrets.SECRET_IS_SET }}`), and will update the `if:` conditionals to compare with empty strings as suggested. * 🔒 Add missing `{% raw %}`/`{% endraw %}` #6861 #12722 Some `${{ }}` values were converted to `$` in the preview environment. Adding `{% raw %}`/`{% endraw %}` will preserve the raw value. * 🔒 Match variable and secret names in examples #6861 #12722 (comment) This PR adds an example of how to use secrets with `if:` conditionals. The reviewer suggested comparing variable values with empty strings to make the `if:` conditionals clearer. Commit cecdf00 updated the secret names accordingly, but the names of the secret and environment variable may still have been confusing. This commit will update the secret and environment variable names to match the cross-referenced example on the "Encrypted secrets" page. * Update content/actions/using-workflows/workflow-syntax-for-github-actions.md Co-authored-by: hubwriter <hubwriter@github.com>
github · Mar 18, 2022 · 06cf952 · 06cf952
1 parent e913ff3
commit 06cf952
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/content/actions/security-guides/encrypted-secrets.md b/content/actions/security-guides/encrypted-secrets.md
@@ -227,6 +227,10 @@ steps:
 ```
 {% endraw %}
 
+Secrets cannot be directly referenced in `if:` conditionals. Instead, consider setting secrets as job-level environment variables, then referencing the environment variables to conditionally run steps in the job. For more information, see "[Context availability](/actions/learn-github-actions/contexts#context-availability)" and [`jobs.<job_id>.steps[*].if`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsif).
+
+If a secret has not been set, the return value of an expression referencing the secret (such as {% raw %}`${{ secrets.SuperSecret }}`{% endraw %} in the example) will be an empty string.
+
 Avoid passing secrets between processes from the command line, whenever possible. Command-line processes may be visible to other users (using the `ps` command) or captured by [security audit events](https://docs.microsoft.com/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing). To help protect secrets, consider using environment variables, `STDIN`, or other mechanisms supported by the target process.
 
 If you must pass secrets within a command line, then enclose them within the proper quoting rules. Secrets often contain special characters that may unintentionally affect your shell. To escape these special characters, use quoting with your environment variables. For example:

diff --git a/content/actions/using-workflows/workflow-syntax-for-github-actions.md b/content/actions/using-workflows/workflow-syntax-for-github-actions.md
@@ -342,6 +342,31 @@ steps:
     uses: actions/heroku@1.0.0
 ```
 
+#### Example: Using secrets
+
+Secrets cannot be directly referenced in `if:` conditionals. Instead, consider setting secrets as job-level environment variables, then referencing the environment variables to conditionally run steps in the job.
+
+If a secret has not been set, the return value of an expression referencing the secret (such as {% raw %}`${{ secrets.SuperSecret }}`{% endraw %} in the example) will be an empty string.
+
+{% raw %}
+```yaml
+name: Run a step if a secret has been set
+on: push
+jobs:
+  my-jobname:
+    runs-on: ubuntu-latest
+    env:
+      super_secret: ${{ secrets.SuperSecret }}
+    steps:
+      - if: ${{ env.super_secret != '' }}
+        run: echo 'This step will only run if the secret has a value set.'
+      - if: ${{ env.super_secret == '' }}
+        run: echo 'This step will only run if the secret does not have a value set.'
+```
+{% endraw %}
+
+For more information, see "[Context availability](/actions/learn-github-actions/contexts#context-availability)" and "[Encrypted secrets](/actions/security-guides/encrypted-secrets)."
+
 ### `jobs.<job_id>.steps[*].name`
 
 A name for your step to display on {% data variables.product.prodname_dotcom %}.