Skip to content

Commit 070563e

Browse files
ncooke3ncooke3
committed
fix check_secrets, expect failure
1 parent 33d503f commit 070563e

File tree

2 files changed

+13
-8
lines changed

2 files changed

+13
-8
lines changed

.github/workflows/_build.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,8 @@ jobs:
8484
env:
8585
SANITIZERS: ${{ inputs.sanitizers }}
8686
plist_secret: ${{ secrets.plist_secret }}
87-
HAVE_SECRETS: ${{ needs.check_secrets.outputs.has_secrets }}
87+
FIREBASECI_SECRETS_PRESENT: ${{ needs.check_secrets.outputs.has_secrets }}
88+
FIREBASECI_IS_TRUSTED_ENV: ${{ github.repository == 'firebase/firebase-ios-sdk' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
8889
FIREBASECI_USE_LATEST_GOOGLEAPPMEASUREMENT: 1
8990
steps:
9091
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

scripts/check_secrets.sh

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -22,18 +22,22 @@ echo "GITHUB_HEAD_REF: ${GITHUB_HEAD_REF:-}"
2222

2323
check_secrets()
2424
{
25-
# 1. Prioritize explicit workflow signal (HAVE_SECRETS).
26-
# - If set, use its value (true or false).
27-
if [[ -n "${HAVE_SECRETS:-}" ]]; then
28-
if [[ "$HAVE_SECRETS" == "true" ]]; then
29-
return 0 # Workflow says: Secrets ARE available.
25+
# 1. Prioritize explicit workflow signal (FIREBASECI_SECRETS_PRESENT).
26+
if [[ -n "${FIREBASECI_SECRETS_PRESENT:-}" ]]; then
27+
if [[ "$FIREBASECI_SECRETS_PRESENT" == "true" ]]; then
28+
return 0 # Workflow says: Secrets ARE available. Proceed.
3029
else
31-
return 1 # Workflow says: Secrets are NOT available.
30+
# Workflow says: Secrets are NOT available.
31+
if [[ "$FIREBASECI_IS_TRUSTED_ENV" == "true" ]]; then
32+
return 0 # Secrets not provided on main repo. Proceed (fail if secrets are actually needed).
33+
else
34+
return 1 # We don't expect secrets (e.g., fork PR). Skip gracefully.
35+
fi
3236
fi
3337
fi
3438

3539
# 2. Fallback for un-migrated/legacy workflows: assume secrets if in GHA.
36-
# - This maintains original behavior for workflows not yet updated with HAVE_SECRETS.
40+
# - This maintains original behavior for workflows not yet updated with FIREBASECI_SECRETS_PRESENT.
3741
if [[ -n "${GITHUB_WORKFLOW:-}" ]]; then
3842
return 0 # Assume secrets if running in GHA (legacy behavior).
3943
fi

0 commit comments

Comments
 (0)