actionlint icon indicating copy to clipboard operation
actionlint copied to clipboard
verified publisher icon rhysd

Mix inherited with declared secrets

Open rethab opened this issue 3 years ago • 2 comments

actionlint assumes that in reusable workflows, you're either inheriting secrets or declare them.

It is possible to mix them though. Consider this:

on:
  workflow_call:
    secrets:
      repositoryUrl:
        required: false

jobs:
  upload:
    runs-on: ubuntu-latest
    steps:
      uses: abc/upload@v1
      with:
        url: ${{ secrets.repositoryUrl || secrets.GLOBAL_REPOSITORY_URL }}

This reusable workflow can be called either with secrets: inherit or by passing the repositoryUrl secret explicitly.

Any chance to support this?

rethab avatar May 30 '22 07:05 rethab

Yes, I agree that this behavior is too strict and not perfect. But there is no way to check mixed secrets without giving up it. It cannot be known from actionlint what secrets are defined in organization settings.

rhysd avatar Aug 12 '22 11:08 rhysd

In the mean time you can ignore the reported issue with a -ignore 'property "repositoryUrl" is not defined in .+' parameter, as I did at: https://github.com/kdeldycke/workflows/commit/73775061e8f0821bb184c16e40c389bb97c8fd23

kdeldycke avatar Feb 25 '23 07:02 kdeldycke