Skip to content

fix: skip release finalize when app secrets unavailable #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aaditagrawal merged 1 commit into from
Mar 20, 2026
Merged

fix: skip release finalize when app secrets unavailable #29

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,7 @@ jobs:
finalize:
name: Finalize release
needs: [preflight, release]
if: ${{ secrets.RELEASE_APP_ID != '' }}
Copy link

@coderabbitai coderabbitai bot Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify expression-context validity for this workflow.
# Expected (current): context error for `secrets` in jobs.<job_id>.if.
# Expected (after fix): no context-availability error on that line.
actionlint .github/workflows/release.yml

Repository: aaditagrawal/t3code

Length of output: 416

Line 280: secrets cannot be used in jobs.finalize.if, so this gate is invalid.

The secrets context is not available in job-level if conditions (only github, inputs, needs, and vars are allowed). This will fail workflow validation. Additionally, this condition only checks RELEASE_APP_ID but not RELEASE_APP_PRIVATE_KEY, so the finalize job can still fail if only the ID is present.

Suggested fix (gate via a preflight output that checks both secrets) 
# preflight job
 outputs:
   version: ${{ steps.release_meta.outputs.version }}
   tag: ${{ steps.release_meta.outputs.tag }}
   is_prerelease: ${{ steps.release_meta.outputs.is_prerelease }}
   make_latest: ${{ steps.release_meta.outputs.make_latest }}
   ref: ${{ github.sha }}
+  has_release_app_secrets: ${{ steps.release_app_secrets.outputs.available }}

 steps:
+  - id: release_app_secrets
+    name: Detect release app secrets
+    shell: bash
+    env:
+      RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }}
+      RELEASE_APP_PRIVATE_KEY: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+    run: |
+      if [[ -n "$RELEASE_APP_ID" && -n "$RELEASE_APP_PRIVATE_KEY" ]]; then
+        echo "available=true" >> "$GITHUB_OUTPUT"
+      else
+        echo "available=false" >> "$GITHUB_OUTPUT"
+      fi

# finalize job
- if: ${{ secrets.RELEASE_APP_ID != '' }}
+ if: ${{ needs.preflight.outputs.has_release_app_secrets == 'true' }}
🧰 Tools
🪛 actionlint (1.7.11)

[error] 280-280: context "secrets" is not allowed here. available contexts are "github", "inputs", "needs", "vars". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details

(expression)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 280, The job-level if using secrets is
invalid; create a preflight job (e.g., check-release-secrets) that runs in a
step which inspects both secrets RELEASE_APP_ID and RELEASE_APP_PRIVATE_KEY and
sets a job output like release_creds_set='true' or 'false', then gate the
finalize job using the preflight output (e.g., if:
needs.check-release-secrets.outputs.release_creds_set == 'true') instead of
referencing secrets directly; update the job name referenced in the workflow
from finalize to use needs.check-release-secrets for the conditional.

runs-on: ubuntu-24.04
steps:
- id: app_token
Expand Down
Loading