runner icon indicating copy to clipboard operation
runner copied to clipboard
verified publisher icon actions

Property job_workflow_sha in context github is not available

Open mbeckh opened this issue 2 years ago β€’ 8 comments

Describe the bug The property github.job_workflow_sha is not set in a job using a reusable workflow. Documentation at https://docs.github.com/en/actions/learn-github-actions/contexts#github-context states that "For jobs using a reusable workflow, the commit SHA for the reusable workflow file.".

To Reproduce .github/workflows/test.yml:

name: Test
on:
  push:
jobs:
  test:
    uses: ./.github/workflows/reuse.yml

.github/workflows/reuse.yml:

name: Reuse
on:
  workflow_call:
jobs:
  reuse:
    runs-on: ubuntu-latest
    steps:
    - shell: bash
      run: echo 'github: ${{toJSON(github)}}'

The context github is printed, but there is no key job_workflow_sha. The output of ${{github.job_workflow_sha}} is empty.

The behavior is the same whether reuse.yml is in the same repository as test.yml or in a different repository.

Expected behavior There is a key job_workflow_sha matching the commit SHA of the reusable workflow file as displayed in the job log under "Set up job" as "Uses: <owner>/<repository>/.github/workflows/reuse.yml@refs/heads/<branchname> (<SHA>)".

Runner Version and Platform

Runner version: 2.301.1 Platform: Ubuntu 22.04.1 LTS Runner Image: ubuntu-22.04 20230129.2

What's not working?

The property job_workflow_sha is not available in the context github of the reusable workflow although the documentation states it should be there.

mbeckh avatar Feb 05 '23 02:02 mbeckh

as a side note, I cannot find any context in which github.job_workflow_sha acutally works. ex: from the caller workflow

name: pr
on:
  pull_request:
    branches: [main]

env:
  WORKFLOW_REF_ROOT_ENV: ${{ github.job_workflow_sha }}

jobs:
  pullrequest:
    uses: ./.github/workflows/pullrequest.yml
    secrets: inherit
    with:
      workflow-ref: ${{ github.job_workflow_sha }}

results in blank inputs and missing ${{ env.WORKFLOW_REF_ROOT_ENV }}

Inputs
    workflow-ref:

roulettedares avatar Mar 08 '23 23:03 roulettedares

I checked documentation source code, seems this property is subject of some condition (contrary to other ones):

{%- ifversion actions-oidc-custom-claims %}
| `github.job_workflow_sha` | `string` | {% data reusables.actions.job-workflow-sha-description %} |
{%- endif %}

Can I kindly ask authors of this commit about a little more context about what this condition is about? How I can enable it?

cc: @jc-clark @lucascosti

kkurczewski avatar Jul 04 '23 13:07 kkurczewski

Hi @kkurczewski, I don't work at GitHub anymore, so I'll let @jc-clark answer your question. πŸ™‚ (πŸ‘‹ Hi Joe 😁)

lucascosti avatar Jul 04 '23 23:07 lucascosti

There is still no solution for this, is it?

axherrm avatar Jul 14 '23 21:07 axherrm

Still hitting this: https://github.com/pdxjohnny/scitt-api-emulator/actions/runs/6178211970/job/16771062928#step:9:17

##[debug]Evaluating: github.job_workflow_sha
##[debug]Evaluating Index:
##[debug]..Evaluating github:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'job_workflow_sha'
##[debug]=> null
##[debug]Result: null

Operating System
  Ubuntu
  22.04.3
  LTS
Runner Image
  Image: ubuntu-22.04
  Version: 20230911.1.0
  Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20230911.1/images/linux/Ubuntu2204-Readme.md
  Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20230911.1

johnandersen777 avatar Sep 13 '23 21:09 johnandersen777

Apologies this is a documentation bug and job_workflow_sha is only supported as an OIDC claim. A PR to correct the documentation is in progress.

I would recommend the community feedback discussions as a place to request any missing product feature. Good to focus on the scenario, since would not only help prioritize but also may help determine a different solution.

ericsciple avatar Sep 29 '23 15:09 ericsciple

I found a workaround by requesting the token and extracting the claim. However, this only works on jobs which run within the repo’s context, not pull requests for example.

  • https://github.com/slsa-framework/slsa-github-generator/issues/131
  • https://github.com/slsa-framework/slsa-github-generator/issues/358

johnandersen777 avatar Oct 01 '23 01:10 johnandersen777

Working solution here using this action ~ dariocurr/checkout-called https://github.com/actions/toolkit/issues/1264#issuecomment-2333996536

randallt21 avatar Sep 10 '24 18:09 randallt21

The crazy thing is that the announcement of this feature for OIDC claims also stated that this was intended to be available in the github context and as an environment variable. So while this may be treated as a documentation bug now, it was clearly originally intended to be a feature that worked as (previously) described in the documentation.

Alas, like most bugs/missing features in GitHub Actions, there will probably never be any actual solution implemented, because Copilot seems to have claimed all of the oxygen in the room.

philomory avatar Dec 02 '25 02:12 philomory