@htekdev/actions-debugger 1.0.80 → 1.0.82
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/errors/caching-artifacts/cache-lookup-only-no-restore-silent.yml +88 -0
- package/errors/caching-artifacts/upload-artifact-rerun-run-id-collision.yml +67 -0
- package/errors/concurrency-timing/workflow-level-vs-job-level-concurrency-scope.yml +92 -0
- package/errors/known-unsolved/org-required-workflow-no-per-repo-override.yml +88 -0
- package/errors/runner-environment/larger-runner-labels-require-paid-plan.yml +73 -0
- package/errors/runner-environment/macos-bash-32-no-bash4-features.yml +110 -0
- package/errors/runner-environment/pip-externally-managed-environment-pep668.yml +83 -0
- package/errors/runner-environment/ubuntu-24-ruby-not-preinstalled.yml +74 -0
- package/errors/runner-environment/windows-shell-powershell-is-ps5-not-ps7.yml +85 -0
- package/errors/silent-failures/github-event-inputs-undefined-in-workflow-call.yml +102 -0
- package/errors/silent-failures/if-failure-not-triggered-on-cancellation.yml +96 -0
- package/errors/silent-failures/job-outputs-block-missing-needs-always-empty.yml +85 -0
- package/errors/triggers/push-branches-filter-bypassed-by-tag-push.yml +83 -0
- package/errors/triggers/release-created-fires-on-draft.yml +75 -0
- package/errors/triggers/workflow-dispatch-choice-input-api-no-validation.yml +98 -0
- package/errors/yaml-syntax/secrets-in-workflow-level-env-block-rejected.yml +91 -0
- package/package.json +1 -1
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
id: yaml-syntax-051
|
|
2
|
+
title: "secrets context unavailable in top-level workflow env: block — only valid at job/step level"
|
|
3
|
+
category: yaml-syntax
|
|
4
|
+
severity: error
|
|
5
|
+
tags:
|
|
6
|
+
- secrets
|
|
7
|
+
- env-block
|
|
8
|
+
- workflow-level
|
|
9
|
+
- context-availability
|
|
10
|
+
- expression-error
|
|
11
|
+
- validation
|
|
12
|
+
patterns:
|
|
13
|
+
- regex: 'Context access might be invalid: secrets'
|
|
14
|
+
flags: 'i'
|
|
15
|
+
- regex: 'Unrecognized named-value: .secrets.'
|
|
16
|
+
flags: 'i'
|
|
17
|
+
- regex: 'The workflow is not valid.*named-value.*secrets'
|
|
18
|
+
flags: 'i'
|
|
19
|
+
error_messages:
|
|
20
|
+
- "The workflow is not valid. .github/workflows/build.yml (Line: 5, Col: 20): Unexpected value 'secrets'"
|
|
21
|
+
- "Context access might be invalid: secrets"
|
|
22
|
+
- "Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.MY_SECRET"
|
|
23
|
+
root_cause: |
|
|
24
|
+
The secrets context (${{ secrets.* }}) is only available at the job and step level,
|
|
25
|
+
not at the top-level (workflow-level) env: block. Placing secret references under the
|
|
26
|
+
top-level env: key generates a workflow validation error because GitHub evaluates
|
|
27
|
+
the workflow-level env: block before any job context is established and before
|
|
28
|
+
secret injection has occurred.
|
|
29
|
+
|
|
30
|
+
Available secret context locations:
|
|
31
|
+
OK jobs.<job_id>.env:
|
|
32
|
+
OK jobs.<job_id>.steps[*].env:
|
|
33
|
+
OK jobs.<job_id>.steps[*].with:
|
|
34
|
+
OK jobs.<job_id>.container.env:
|
|
35
|
+
OK jobs.<job_id>.services.<id>.env:
|
|
36
|
+
NOT OK env: (top-level, outside jobs:)
|
|
37
|
+
NOT OK jobs.<job_id>.if:
|
|
38
|
+
NOT OK jobs.<job_id>.steps[*].if:
|
|
39
|
+
|
|
40
|
+
This is the most common cause of the "Unexpected value 'secrets'" validation error
|
|
41
|
+
in newly written workflows. The workflow fails the pre-run validation check and
|
|
42
|
+
no jobs execute.
|
|
43
|
+
fix: |
|
|
44
|
+
Move the secrets reference from the top-level env: block down to the job-level or
|
|
45
|
+
step-level env: block where the secrets context is available.
|
|
46
|
+
fix_code:
|
|
47
|
+
- language: yaml
|
|
48
|
+
label: "Wrong: secrets in top-level env: block generates validation error"
|
|
49
|
+
code: |
|
|
50
|
+
env:
|
|
51
|
+
DB_PASSWORD: ${{ secrets.DB_PASSWORD }} # Invalid at top level
|
|
52
|
+
API_TOKEN: ${{ secrets.API_TOKEN }} # Invalid at top level
|
|
53
|
+
|
|
54
|
+
jobs:
|
|
55
|
+
test:
|
|
56
|
+
runs-on: ubuntu-latest
|
|
57
|
+
steps:
|
|
58
|
+
- run: ./run-tests.sh
|
|
59
|
+
- language: yaml
|
|
60
|
+
label: "Correct: secrets moved to job-level env: block"
|
|
61
|
+
code: |
|
|
62
|
+
jobs:
|
|
63
|
+
test:
|
|
64
|
+
runs-on: ubuntu-latest
|
|
65
|
+
env:
|
|
66
|
+
DB_PASSWORD: ${{ secrets.DB_PASSWORD }} # Valid at job level
|
|
67
|
+
API_TOKEN: ${{ secrets.API_TOKEN }} # Valid at job level
|
|
68
|
+
steps:
|
|
69
|
+
- run: ./run-tests.sh
|
|
70
|
+
- language: yaml
|
|
71
|
+
label: "Alternative: secrets at step-level env: for minimal exposure"
|
|
72
|
+
code: |
|
|
73
|
+
jobs:
|
|
74
|
+
test:
|
|
75
|
+
runs-on: ubuntu-latest
|
|
76
|
+
steps:
|
|
77
|
+
- name: Run tests
|
|
78
|
+
run: ./run-tests.sh
|
|
79
|
+
env:
|
|
80
|
+
DB_PASSWORD: ${{ secrets.DB_PASSWORD }} # Valid at step level
|
|
81
|
+
prevention:
|
|
82
|
+
- "The top-level env: block only supports literals and expressions that don't reference secrets, needs, or job context"
|
|
83
|
+
- "Use top-level env: for constants like APP_ENV: production or NODE_ENV: test"
|
|
84
|
+
- "Prefer step-level env: for secrets to minimize the scope where secrets are exposed"
|
|
85
|
+
- "actionlint checks context availability and will flag secret-placement errors before push"
|
|
86
|
+
- "GitHub validates workflow files on push — the validation error appears as a failed check before any job runs"
|
|
87
|
+
docs:
|
|
88
|
+
- url: "https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/contexts#context-availability"
|
|
89
|
+
label: "GitHub Docs: Context availability"
|
|
90
|
+
- url: "https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#env"
|
|
91
|
+
label: "GitHub Docs: Workflow env: syntax"
|
package/package.json
CHANGED