DEV Community

0 seconds of 1 minute, 33 secondsVolume 90%
Press shift question mark to access a list of keyboard shortcuts
00:00
00:00
01:33
 
Brian Douglas for GitHub

Posted on • Edited on

5 3

Conditional Workflows and Failures in GitHub Actions

Coming up on March 1st, GitHub, changing the way GitHub Actions work with Dependabot PRs. This change will treat all these Dependabot PRs as forks to your repo, so they will not have access to things like the GITHUB_TOKEN token. So if you're using Dependabot in any of your projects, consider changing over to pull_request_target after reading up on the recent GitHub Actions Security vulnerabilities research.

I have an example workflow that dumps the context of the runner in my Action logs. This is helpful if you don't want to use tmate or similar to debug. It's an excellent little debugging tool.


name: dump

on:
  pull_request:

jobs:
  dump:
    runs-on: ubuntu-latest
    steps:
      - name: Dump context
        uses: crazy-max/ghaction-dump-context@v1
Enter fullscreen mode Exit fullscreen mode

Per the changelog, I can update it to use pull_request_target so it has access to the GITHUB_TOKEN with write access. But I also only want dependabot PRs leveraging this workflow. To do this, I can add a conditional expression to my workflow that checks that the github.actor is only 'dependabot[bot]'.

name: dump

on:
  pull_request:

jobs:
  dump:
    runs-on: ubuntu-latest
    steps:
      - name: Dump context
        if: github.actor == 'dependabot[bot]' // added condiontal
        uses: crazy-max/ghaction-dump-context@v1
Enter fullscreen mode Exit fullscreen mode

Now the conditional will skip the workflow step if the actor is not 'dependabot[bot]'. But what if I want to fail the workflow from human contributors? I can inverse the conditional, but I can also add a failure, but running exit 1 like so.

name: dump

on:
  pull_request:

jobs:
  dump:
    runs-on: ubuntu-latest
    steps:
      - name: Dump context
        if: github.actor == 'dependabot[bot]'
        run: exit 1 // added failure
      - name: the dump
        uses: crazy-max/ghaction-dump-context@v1
Enter fullscreen mode Exit fullscreen mode

But keep in mind if you have a conditional, and it's not dependent by any don't want a failure, it'll just skip the job.

I hope you found this helpful. Be sure to keep an eye on the GitHub Changelog for future Action updates, as well as other features.

This is part of my 28 days of Actions series. To get notified of more GitHub Action tips, follow the GitHub organization right here on Dev. Learn how to build action with Node.js

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read more

Top comments (1)

Collapse
 
nisevi profile image
Nicolas Sebastian Vidal

Nice! I still feel is a bit hacky, but! I really like how you have solved the inconvenience GitHub has created for all of us using dependabot and integrating with third-party services. In my case, it is the upload of coverage being sent to codecov what started to fail. I can live without the codecoverage not being sent to codecov on every new PR that is created by the bot, so that will be it! haha Thank you!

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay