From 4c566ce323250dce08bea527907066d7d7ca2737 Mon Sep 17 00:00:00 2001
From: Paul Swartz <pswartz@mbta.com>
Date: Wed, 5 Jul 2023 18:40:05 -0400
Subject: [PATCH] fix: only run Asana jobs if the secrets are present

This avoids failures when running on PRs from forks.

We do it in this convoluted way because you can't access secrets
directly from `if` blocks: https://github.com/actions/runner/issues/520

The key differences between this and
https://github.com/mbta/workflows/pull/14 are:
- typo: should be `outputs` in the `if` blocks
- more explicity check for the secrets in a Bash script, so we can see
the output
- use `yes` instead of `true` as the value to more clearly distinguish
the value from a true boolean
---
 .github/workflows/asana.yml | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/asana.yml b/.github/workflows/asana.yml
index 236c384..320807a 100644
--- a/.github/workflows/asana.yml
+++ b/.github/workflows/asana.yml
@@ -29,9 +29,21 @@ on:
         required: false
         description: GitHub secret that Asana uses to fetch PR information.
 jobs:
+  check-for-secrets:
+    runs-on: ubuntu-latest
+    outputs:
+      has-asana-token: ${{ steps.one.outputs.has-asana-token }}
+      has-github-secret: ${{ steps.one.outputs.has-github-secret }}
+    steps:
+      - id: one
+        run: |
+          [ -n "${{ secrets.asana-token }}" ] && echo "has-asana-token=yes" >> "$GITHUB_OUTPUT"
+          [ -n "${{ secrets.github-secret }}" ] && echo "has-github-secret=yes" >> "$GITHUB_OUTPUT"
+          cat "$GITHUB_OUTPUT"
   move-to-merged-asana-ticket-job:
     runs-on: ubuntu-latest
-    if: inputs.merged-section != '' && github.event.pull_request.merged == true && github.actor != 'dependabot[bot]' 
+    needs: check-for-secrets
+    if: inputs.merged-section != '' && needs.check-for-secrets.outputs.has-asana-token == 'yes' && github.event.pull_request.merged == true && github.actor != 'dependabot[bot]'
     steps:
       - name: Move ticket on merge
         uses:  mbta/github-asana-action@v4.3.0
@@ -42,7 +54,8 @@ jobs:
           mark-complete: ${{ inputs.complete-on-merge }}
   move-to-in-review-asana-ticket-job:
     runs-on: ubuntu-latest
-    if: inputs.review-section != '' && github.event.action == 'review_requested' && github.actor != 'dependabot[bot]'
+    needs: check-for-secrets
+    if: inputs.review-section != '' && needs.check-for-secrets.outputs.has-asana-token == 'yes' && github.event.action == 'review_requested' && github.actor != 'dependabot[bot]'
     steps:
       - name: Move ticket on review requested
         uses:  mbta/github-asana-action@v4.3.0
@@ -52,8 +65,9 @@ jobs:
           target-section: ${{ inputs.review-section }}
   create-asana-attachment-job:
     runs-on: ubuntu-latest
+    needs: check-for-secrets
     name: Create pull request attachments on Asana tasks
-    if: inputs.attach-pr && github.actor != 'dependabot[bot]'
+    if: inputs.attach-pr && needs.check-for-secrets.outputs.has-github-secret == 'yes' && github.actor != 'dependabot[bot]'
     steps:
       - name: Create pull request attachments
         uses: Asana/create-app-attachment-github-action@v1.2