Hi Peff, On Tue, 29 Aug 2023, Jeff King wrote: > On Tue, Aug 29, 2023 at 10:18:24AM +0200, Johannes Schindelin wrote: > > > - Limit it by repository "topics" (think: "repository tags"): > > > > if: contains(github.event.repository.topics, 'has-coverity-secrets') > > FWIW, I like this approach the most. [...] > > My gut feeling is that we should be able to do something with env > variables [...] Environment variables need an environment, i.e. a running build agent. That's why they aren't available in our use case, but only inside a step (which is too late for our purposes). I am unsure why secrets aren't available in job-level `if:` expressions, but they aren't, and that's that, for now. > [...] it seems that the "vars" context (but not "secrets") is available > to "jobs.*.if". I'm not sure if I missed before, or if that's a new > feature since the last time I checked. I had missed that, too. It was announced here: https://github.blog/2023-01-10-introducing-required-workflows-and-configuration-variables-to-github-actions/#configuration-variables (I must have glanced over that post when I saw it because it talked about required workflows, which are currently irrelevant to my interests). FWIW the feature is documented here: https://docs.github.com/en/actions/learn-github-actions/variables And https://docs.github.com/en/actions/learn-github-actions/variables#using-the-vars-context-to-access-configuration-variable-values specifically says: Configuration variables can be accessed across the workflow using `vars` context. I.e. it suggests that the context can be used even in the `run-name` attribute of any workflow. Nice. FWIW I was unable to deduce any authoritative information as to where the `secrets` context can be accessed from https://docs.github.com/en/actions/learn-github-actions/contexts#secrets-context, but I must assume that access to that context is highly restricted and probably cannot be used outside the `steps:` attribute, explaining why a job-level (and in my previous tests, even step-level) `if:` condition cannot access them. > (I had mostly looked into this in the context of branch selection for > our ci-config job, and I think we could do something similar there). FWIW I concur. Ciao, Johannes
