Skip to content

fix(release): replace secrets-in-if with env-bridge guard step#276

Merged
jdfalk merged 1 commit intomainfrom
fix/secrets-in-if-mint-app-token
Apr 29, 2026
Merged

fix(release): replace secrets-in-if with env-bridge guard step#276
jdfalk merged 1 commit intomainfrom
fix/secrets-in-if-mint-app-token

Conversation

@jdfalk
Copy link
Copy Markdown
Owner

@jdfalk jdfalk commented Apr 29, 2026

Summary

if: ${{ secrets.CI_APP_ID != '' }} is invalid in a reusable (workflow_call) workflow — GitHub Actions rejects with:

Invalid workflow file: ...
error parsing called workflow
-> 'jdfalk/ghcommon/.github/workflows/reusable-release.yml@<sha>'
: (Line: 316, Col: 13): Unrecognized named-value: 'secrets'.
Located at position 1 within expression: secrets.CI_APP_ID != ''

Every caller fails to validate (0-second runtime, name shows as the file path instead of name:).

Materialize the secret through env in a guard step, then gate the Mint step on that step's output. Same observable behavior — skip mint when CI_APP_ID is empty — but the if-expression uses steps.check-app.outputs.* which IS allowed in callable workflows.

How this snuck in

Original commit c46f978 ("skip app-token mint when CI_APP_ID is unset") swapped continue-on-error: true for if: ${{ secrets.CI_APP_ID != '' }}. continue-on-error worked in a reusable; the if expression doesn't.

Test plan

  • Tested locally with actionlint
  • After merge: re-trigger overnight-burndown's prerelease.yml and confirm the run validates and proceeds past load-time

🤖 Generated with Claude Code

@jdfalk @claude
fix(release): replace secrets-in-if with env-bridge guard step
8552416 
\`if: \${{ secrets.CI_APP_ID != '' }}\` is invalid in a reusable
(workflow_call) workflow — GHA rejects with "Unrecognized named-value:
'secrets'" at workflow load time, and every caller fails to validate
with a 0-second runtime and the path-as-name fallback.

Materialize the secret through env in a guard step, then gate the
Mint step on that step's output. Same observable behavior as before
(skip mint when CI_APP_ID empty), but the if-expression now uses
steps.check-app.outputs.* which is allowed in callable workflows.

Caught when wiring up overnight-burndown's prerelease workflow.
Until this lands, every caller of reusable-release.yml fails to
validate.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jdfalk jdfalk merged commit dd8fae1 into main Apr 29, 2026
30 of 34 checks passed
@jdfalk jdfalk deleted the fix/secrets-in-if-mint-app-token branch April 29, 2026 04:33
@github-actions github-actions Bot added github-actions GitHub Actions related work module:config Configuration management workflow:github-actions GitHub Actions workflows labels Apr 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

github-actions GitHub Actions related work module:config Configuration management size/S workflow:github-actions GitHub Actions workflows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdfalk