From 3ba2ddcfe4a05c4c1070f7562d341ddbbba9f505 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Sun, 25 Jan 2026 20:19:57 +0000 Subject: [PATCH] fix(ci): use env var for Docker Hub token check in workflow conditions GitHub Actions doesn't allow secrets context in step if expressions. Add HAS_DOCKERHUB_TOKEN env var at job level that evaluates the secret existence, then reference that env var in step conditions. Fixes: "Unrecognized named-value: 'secrets'" workflow validation error --- .github/workflows/docker-build.yml | 8 +++++--- .github/workflows/nightly-build.yml | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index bdc61f8c..5d41958d 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -35,6 +35,8 @@ env: jobs: build-and-push: + env: + HAS_DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN != '' }} runs-on: ubuntu-latest timeout-minutes: 30 permissions: @@ -114,7 +116,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Log in to Docker Hub - if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && secrets.DOCKERHUB_TOKEN != '' + if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && env.HAS_DOCKERHUB_TOKEN == 'true' uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: docker.io @@ -433,7 +435,7 @@ jobs: # Sign Docker Hub image with keyless signing (Sigstore/Fulcio) - name: Sign Docker Hub Image - if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true' && secrets.DOCKERHUB_TOKEN != '' + if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true' && env.HAS_DOCKERHUB_TOKEN == 'true' run: | echo "Signing Docker Hub image with keyless signing..." cosign sign --yes ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} @@ -441,7 +443,7 @@ jobs: # Attach SBOM to Docker Hub image - name: Attach SBOM to Docker Hub - if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true' && secrets.DOCKERHUB_TOKEN != '' + if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true' && env.HAS_DOCKERHUB_TOKEN == 'true' run: | echo "Attaching SBOM to Docker Hub image..." cosign attach sbom --sbom sbom.cyclonedx.json ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index 8e55753c..50e771a5 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -65,6 +65,8 @@ jobs: build-and-push-nightly: needs: sync-development-to-nightly runs-on: ubuntu-latest + env: + HAS_DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN != '' }} permissions: contents: read packages: write @@ -98,7 +100,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Log in to Docker Hub - if: secrets.DOCKERHUB_TOKEN != '' + if: env.HAS_DOCKERHUB_TOKEN == 'true' uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: docker.io @@ -163,7 +165,7 @@ jobs: # Sign Docker Hub image with keyless signing (Sigstore/Fulcio) - name: Sign Docker Hub Image - if: secrets.DOCKERHUB_TOKEN != '' + if: env.HAS_DOCKERHUB_TOKEN == 'true' run: | echo "Signing Docker Hub nightly image with keyless signing..." cosign sign --yes ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} @@ -171,7 +173,7 @@ jobs: # Attach SBOM to Docker Hub image - name: Attach SBOM to Docker Hub - if: secrets.DOCKERHUB_TOKEN != '' + if: env.HAS_DOCKERHUB_TOKEN == 'true' run: | echo "Attaching SBOM to Docker Hub nightly image..." cosign attach sbom --sbom sbom-nightly.json ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}