Skip to content

chore: Skip Vault secret steps on fork PRs#2759

Open
leventebalogh wants to merge 1 commit into
mainfrom
leventebalogh/ci-workflow-fixes
Open

chore: Skip Vault secret steps on fork PRs#2759
leventebalogh wants to merge 1 commit into
mainfrom
leventebalogh/ci-workflow-fixes

Conversation

@leventebalogh

@leventebalogh leventebalogh commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Related PR: #2757 (a fork PR that was hitting this limitation)

The problem

Currently fork PRs cannot get green CI for the following two reasons:

  • playwright.yml runs the get-vault-secrets DockerHub step unconditionally, which fails with Unable to get ACTIONS_ID_TOKEN_REQUEST_URL because fork runs never receive an OIDC id-token.
  • In ci.yml the secret steps are already gated (CI: Skip vault secrets and publish-report for fork PRs #2547), but the sign-plugin steps reference fromJSON(steps.get-secrets.outputs.secrets) in their env, which GitHub evaluates even when the step is skipped — so fromJSON('') fails the job with a template error.

What changed?

The DockerHub secret + login steps in playwright.yml are skipped on fork PRs (anonymous image pulls, rate-limit risk only), and the fromJSON consumers fall back to '{}' so skipped secrets no longer break template evaluation. E2E tests still run on fork PRs — they never needed the secrets.

Notes for the reviewer:
Non-fork behavior is unchanged — this PR itself should show the secret steps running and the Docker Hub login succeeding.

@leventebalogh leventebalogh requested review from a team as code owners July 8, 2026 08:42
@leventebalogh leventebalogh requested a review from toddtreece July 8, 2026 08:42
@leventebalogh leventebalogh self-assigned this Jul 8, 2026
@leventebalogh leventebalogh moved this from 📬 Triage to 🔬 In review in Grafana Catalog Team Jul 8, 2026
@leventebalogh leventebalogh changed the title CI: Skip Vault secret steps on fork PRs chore: Skip Vault secret steps on fork PRs Jul 8, 2026
@leventebalogh leventebalogh requested a review from tolzhabayev July 8, 2026 09:27
Fork pull_request runs never receive an OIDC id-token, so get-vault-secrets
fails with "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL". Gate the DockerHub
steps in playwright.yml on non-fork PRs (same pattern as ci.yml) and make
fromJSON consumers of guarded step outputs tolerate empty output, since
step env is evaluated even when a step is skipped.
@leventebalogh leventebalogh force-pushed the leventebalogh/ci-workflow-fixes branch from 57cd76d to 05f0fcf Compare July 9, 2026 07:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: 🔬 In review

Development

Successfully merging this pull request may close these issues.

5 participants