Skip to content

chore: Skip Vault secret steps on fork PRs#2759

Merged
leventebalogh merged 1 commit into
mainfrom
leventebalogh/ci-workflow-fixes
Jul 17, 2026
Merged

chore: Skip Vault secret steps on fork PRs#2759
leventebalogh merged 1 commit into
mainfrom
leventebalogh/ci-workflow-fixes

Conversation

@leventebalogh

@leventebalogh leventebalogh commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Related PR: #2757 (a fork PR that was hitting this limitation)

The problem

Currently fork PRs cannot get green CI for the following two reasons:

  • playwright.yml runs the get-vault-secrets DockerHub step unconditionally, which fails with Unable to get ACTIONS_ID_TOKEN_REQUEST_URL because fork runs never receive an OIDC id-token.
  • In ci.yml the secret steps are already gated (CI: Skip vault secrets and publish-report for fork PRs #2547), but the sign-plugin steps reference fromJSON(steps.get-secrets.outputs.secrets) in their env, which GitHub evaluates even when the step is skipped — so fromJSON('') fails the job with a template error.

What changed?

The DockerHub secret + login steps in playwright.yml are skipped on fork PRs (anonymous image pulls, rate-limit risk only), and the fromJSON consumers fall back to '{}' so skipped secrets no longer break template evaluation. E2E tests still run on fork PRs — they never needed the secrets.

Notes for the reviewer:
Non-fork behavior is unchanged — this PR itself should show the secret steps running and the Docker Hub login succeeding.

@leventebalogh
leventebalogh requested review from a team as code owners July 8, 2026 08:42
@leventebalogh
leventebalogh requested a review from toddtreece July 8, 2026 08:42
@leventebalogh leventebalogh self-assigned this Jul 8, 2026
@leventebalogh leventebalogh moved this from 📬 Triage to 🔬 In review in Grafana Catalog Team Jul 8, 2026
@leventebalogh leventebalogh changed the title CI: Skip Vault secret steps on fork PRs chore: Skip Vault secret steps on fork PRs Jul 8, 2026
konstantinmv
konstantinmv previously approved these changes Jul 8, 2026
@leventebalogh
leventebalogh requested a review from tolzhabayev July 8, 2026 09:27
Ukochka
Ukochka previously approved these changes Jul 8, 2026
tolzhabayev
tolzhabayev previously approved these changes Jul 8, 2026
toddtreece
toddtreece previously approved these changes Jul 8, 2026
@leventebalogh
leventebalogh force-pushed the leventebalogh/ci-workflow-fixes branch from 57cd76d to 05f0fcf Compare July 9, 2026 07:04
jackw
jackw previously approved these changes Jul 16, 2026

@jackw jackw left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🚀

Fork pull_request runs never receive an OIDC id-token, so get-vault-secrets
fails with "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL". Gate the DockerHub
steps in playwright.yml on non-fork PRs (same pattern as ci.yml) and make
fromJSON consumers of guarded step outputs tolerate empty output, since
step env is evaluated even when a step is skipped.
@leventebalogh
leventebalogh force-pushed the leventebalogh/ci-workflow-fixes branch from 05f0fcf to b667ecb Compare July 17, 2026 12:51

@jackw jackw left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🚀

@leventebalogh
leventebalogh merged commit 9df51db into main Jul 17, 2026
36 checks passed
@leventebalogh
leventebalogh deleted the leventebalogh/ci-workflow-fixes branch July 17, 2026 13:54
@github-project-automation github-project-automation Bot moved this from 🔬 In review to 🚀 Shipped in Grafana Catalog Team Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: 🚀 Shipped

Development

Successfully merging this pull request may close these issues.

6 participants