On Tue, Aug 29, 2023 at 10:18:24AM +0200, Johannes Schindelin wrote: > - Limit it by repository "topics" (think: "repository tags"): > > if: contains(github.event.repository.topics, 'has-coverity-secrets') FWIW, I like this approach the most. As you note, it's not exactly obvious to discover, but I think it is the most flexible. And setting up Coverity runs already requires a lot of non-obvious steps (like creating an account with them and getting a token to paste into the GitHub secrets area). My gut feeling is that we should be able to do something with env variables to avoid the (ab)use of repository tags, but when I looked into this in the past, it wasn't possible. However, poking at it again now, it seems that the "vars" context (but not "secrets") is available to "jobs.*.if". I'm not sure if I missed before, or if that's a new feature since the last time I checked. At any rate, it seems to work to do: if: vars.ENABLE_COVERITY != '' or even make COVERITY_SCAN_EMAIL a "var" instead of a "secret", and use that. Likewise, I think we could do: if: contains(vars.COVERITY_BRANCHES, github.ref_name) to allow individual repositories to do their own branch selection (that is matching by substring, which is probably good enough, but if you want to get fancy, I think we can use fromJSON to interpret the contents of the variable). (I had mostly looked into this in the context of branch selection for our ci-config job, and I think we could do something similar there). -Peff
