fix(ci): use env scope for secrets in gating if: expressions#431
Merged
Conversation
GitHub Actions does not allow `secrets.X` to appear directly in
step-level `if:` expressions — only `env.X` is valid in that context.
Both ci.yml and security-scan.yml had Slack-notify steps gated on
`secrets.SLACK_WEBHOOK_URL != ''`, which made the entire workflow
fail to parse. Result: every push to main produced a 0-second failure
with 0 jobs run, masquerading as a CI signal that wasn't actually
running CI.
Confirmed root cause via:
gh api -X POST repos/.../actions/workflows/167079093/dispatches \
-f ref=main
→ 422 Invalid Argument - failed to parse workflow:
(Line: 315, Col: 11): Unrecognized named-value: 'secrets'
Fix: promote the secret to job-level `env:` so step-level `if:`
references `env.SLACK_WEBHOOK_URL`. The actual secret value still
flows through unchanged for the action's runtime use.
Same pattern applied to security-scan.yml line 406 (the existing
SECURITY_SLACK_WEBHOOK_URL gate).
After this lands, every push to main should produce real CI runs
that actually execute jobs and reflect repo health honestly. The
runs may still fail for *real* reasons (e.g., CI image dependencies,
test gaps), but they will fail visibly with logs instead of in 0s
with no jobs.
Co-Authored-By: claude-flow <ruv@ruv.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Root cause
Every push to main has produced a 0-second CI failure with 0 jobs executed — visible on PR #389, #377, #405, #425, #426, #427, #430, and every commit since. The workflow appeared to fail without ever running anything.
Confirmed via direct API dispatch:
```
$ gh api -X POST repos/ruvnet/RuView/actions/workflows/167079093/dispatches -f ref=main
422 Invalid Argument - failed to parse workflow:
(Line: 315, Col: 11): Unrecognized named-value: 'secrets'.
Located at position 1 within expression: secrets.SLACK_WEBHOOK_URL != ''
```
The Slack-notify steps in `ci.yml` (lines 315/325) and `security-scan.yml` (line 406) used `${{ secrets.X != '' }}` directly in step-level `if:` conditions. GitHub Actions does not allow direct `secrets.X` access in `if:` expressions — only `env.X` is valid in that context. The whole workflow file was rejected during parse, every job was skipped, and a "failure" status was reported with no logs.
Fix
Promote the secret to job-level `env:` so step-level `if:` references `env.X`. The actual secret value still flows through unchanged at runtime.
Before:
```yaml
notify:
steps:
if: ${{ secrets.SLACK_WEBHOOK_URL != '' && needs.foo.result == 'success' }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
```
After:
```yaml
notify:
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
steps:
if: ${{ env.SLACK_WEBHOOK_URL != '' && needs.foo.result == 'success' }}
```
Same pattern applied to `security-scan.yml` for `SECURITY_SLACK_WEBHOOK_URL`.
Validation
```
$ gh api -X POST repos/ruvnet/RuView/actions/workflows/167079093/dispatches -f ref=fix/ci-workflows-secrets-in-if
(no error — workflow now parses)
$ gh run list --workflow ci.yml --branch fix/ci-workflows-secrets-in-if
[{"name":"Continuous Integration","status":"in_progress","event":"workflow_dispatch"}]
```
Pre-fix: `name: ".github/workflows/ci.yml"` (path — GitHub's fallback when the YAML name field can't be read), `status: completed` with 0 jobs in 0s.
Post-fix: `name: "Continuous Integration"` (matches the YAML `name:` field at line 1), `status: in_progress`, jobs actually executing.
What this PR does NOT fix
The CI runs may still fail for real reasons once they actually execute (missing CI dependencies, broken tests, missing secrets, etc.). This PR only restores honesty: failures will now produce real logs you can read, instead of vanishing into a 0-second startup error.
If `SLACK_WEBHOOK_URL` / `SECURITY_SLACK_WEBHOOK_URL` aren't configured as repo secrets, the corresponding notify steps will skip gracefully (`env.X == ''`), which is the intended behavior.
Test plan
🤖 Generated with claude-flow