Check result of branch-deploy on every subsequent step #112
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This PR refactors the smoketest workflow by consolidating it from a two-job structure into a single job that checks the branch-deploy output on each subsequent step. This approach eliminates the need for job dependencies and output passing between jobs.
Key Changes:
- Merged
permission-checkandrun-testsjobs into a singleLinuxjob - Added conditional checks on each step to verify
branch-deploycontinue output - Removed job-level
needsandoutputsconfiguration
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.github/workflows/smoketest.yaml
Outdated
| python -m pip install hatch | ||
| - name: Run tests | ||
| - if steps.branch-deploy.outputs.continue == "true" |
There was a problem hiding this comment.
The if conditional syntax is incorrect. In GitHub Actions, the if keyword should be followed by a colon : and the condition expression should reference the step output using ${{ }} syntax.
The correct syntax should be:
- if: steps.branch-deploy.outputs.continue == 'true'
name: Run testsNote the colon after if and the proper expression syntax with ${{ }}.
| - if: steps.branch-deploy.outputs.continue == "true" | ||
| name: Setup Python venv | ||
| run: | | ||
| python -m venv .venv | ||
| source .venv/bin/activate | ||
| python -m pip install hatch | ||
| - name: Run tests | ||
| - if: steps.branch-deploy.outputs.continue == "true" |
Check failure
Code scanning / CodeQL
Untrusted Checkout TOCTOU Critical
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - if: steps.branch-deploy.outputs.continue == "true" | ||
| name: Run tests |
There was a problem hiding this comment.
[nitpick] The if conditional should be placed after the name field. Consider:
- name: Run tests
if: steps.branch-deploy.outputs.continue == 'true'
env:
AI_API_TOKEN: ${{ secrets.AI_API_TOKEN }}
GITHUB_AUTH_HEADER: "Bearer ${{ secrets.GITHUB_TOKEN }}"
run: |
...See below for a potential fix:
- name: Setup Python
if: steps.branch-deploy.outputs.continue == "true"
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Checkout the repo
if: steps.branch-deploy.outputs.continue == "true"
uses: actions/checkout@v6
with:
ref: ${{ steps.branch-deploy.outputs.sha }}
- name: Setup Python venv
if: steps.branch-deploy.outputs.continue == "true"
run: |
python -m venv .venv
source .venv/bin/activate
python -m pip install hatch
- name: Run tests
if: steps.branch-deploy.outputs.continue == "true"
| - if: steps.branch-deploy.outputs.continue == "true" | ||
| name: Setup Python |
There was a problem hiding this comment.
[nitpick] The if conditional should be placed after the name field in the step definition, not before it. While GitHub Actions is sometimes forgiving about field order, the standard convention is:
- name: Setup Python
if: steps.branch-deploy.outputs.continue == 'true'
uses: actions/setup-python@v5
with:
python-version: '3.11'This ensures better readability and follows GitHub Actions best practices.
See below for a potential fix:
- name: Setup Python
if: steps.branch-deploy.outputs.continue == "true"
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Checkout the repo
if: steps.branch-deploy.outputs.continue == "true"
uses: actions/checkout@v6
with:
ref: ${{ steps.branch-deploy.outputs.sha }}
- name: Setup Python venv
if: steps.branch-deploy.outputs.continue == "true"
run: |
python -m venv .venv
source .venv/bin/activate
python -m pip install hatch
- name: Run tests
if: steps.branch-deploy.outputs.continue == "true"
| - if: steps.branch-deploy.outputs.continue == "true" | ||
| name: Checkout the repo |
There was a problem hiding this comment.
[nitpick] The if conditional should be placed after the name field. Consider:
- name: Checkout the repo
if: steps.branch-deploy.outputs.continue == 'true'
uses: actions/checkout@v6
with:
ref: ${{ steps.branch-deploy.outputs.sha }}See below for a potential fix:
- name: Setup Python
if: steps.branch-deploy.outputs.continue == "true"
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Checkout the repo
if: steps.branch-deploy.outputs.continue == "true"
uses: actions/checkout@v6
with:
ref: ${{ steps.branch-deploy.outputs.sha }}
- name: Setup Python venv
if: steps.branch-deploy.outputs.continue == "true"
run: |
python -m venv .venv
source .venv/bin/activate
python -m pip install hatch
- name: Run tests
if: steps.branch-deploy.outputs.continue == "true"
| - if: steps.branch-deploy.outputs.continue == "true" | ||
| name: Setup Python venv |
There was a problem hiding this comment.
[nitpick] The if conditional should be placed after the name field. Consider:
- name: Setup Python venv
if: steps.branch-deploy.outputs.continue == 'true'
run: |
python -m venv .venv
source .venv/bin/activate
python -m pip install hatch| - if: steps.branch-deploy.outputs.continue == "true" | |
| name: Setup Python venv | |
| - name: Setup Python venv | |
| if: steps.branch-deploy.outputs.continue == "true" |
1 participant
Unfortunately, this seems to be the only solution. See #111 for my previous attempts.