chore: Skip Vault secret steps on fork PRs#2759
Open
leventebalogh wants to merge 1 commit into
Open
Conversation
konstantinmv
approved these changes
Jul 8, 2026
Ukochka
approved these changes
Jul 8, 2026
tolzhabayev
approved these changes
Jul 8, 2026
toddtreece
approved these changes
Jul 8, 2026
Fork pull_request runs never receive an OIDC id-token, so get-vault-secrets fails with "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL". Gate the DockerHub steps in playwright.yml on non-fork PRs (same pattern as ci.yml) and make fromJSON consumers of guarded step outputs tolerate empty output, since step env is evaluated even when a step is skipped.
57cd76d to
05f0fcf
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related PR: #2757 (a fork PR that was hitting this limitation)
The problem
Currently fork PRs cannot get green CI for the following two reasons:
playwright.ymlruns theget-vault-secretsDockerHub step unconditionally, which fails withUnable to get ACTIONS_ID_TOKEN_REQUEST_URLbecause fork runs never receive an OIDC id-token.ci.ymlthe secret steps are already gated (CI: Skip vault secrets and publish-report for fork PRs #2547), but the sign-plugin steps referencefromJSON(steps.get-secrets.outputs.secrets)in theirenv, which GitHub evaluates even when the step is skipped — sofromJSON('')fails the job with a template error.What changed?
The DockerHub secret + login steps in
playwright.ymlare skipped on fork PRs (anonymous image pulls, rate-limit risk only), and thefromJSONconsumers fall back to'{}'so skipped secrets no longer break template evaluation. E2E tests still run on fork PRs — they never needed the secrets.Notes for the reviewer:
Non-fork behavior is unchanged — this PR itself should show the secret steps running and the Docker Hub login succeeding.