DEV Community

loading...
Play Button Pause Button
GitHub

Conditional Workflows and Failures in GitHub Actions

Brian Douglas
Brian is a developer advocate at GitHub, which means he likes chatting with developers about developer things and sometimes writes code.
Updated on ・2 min read

Coming up on March 1st, GitHub, changing the way GitHub Actions work with Dependabot PRs. This change will treat all these Dependabot PRs as forks to your repo, so they will not have access to things like the GITHUB_TOKEN token. So if you're using Dependabot in any of your projects, consider changing over to pull_request_target after reading up on the recent GitHub Actions Security vulnerabilities research.

I have an example workflow that dumps the context of the runner in my Action logs. This is helpful if you don't want to use tmate or similar to debug. It's an excellent little debugging tool.


name: dump

on:
  pull_request:

jobs:
  dump:
    runs-on: ubuntu-latest
    steps:
      - name: Dump context
        uses: crazy-max/ghaction-dump-context@v1
Enter fullscreen mode Exit fullscreen mode

Per the changelog, I can update it to use pull_request_target so it has access to the GITHUB_TOKEN with write access. But I also only want dependabot PRs leveraging this workflow. To do this, I can add a conditional expression to my workflow that checks that the github.actor is only 'dependabot[bot]'.

name: dump

on:
  pull_request:

jobs:
  dump:
    runs-on: ubuntu-latest
    steps:
      - name: Dump context
        if: github.actor == 'dependabot[bot]' // added condiontal
        uses: crazy-max/ghaction-dump-context@v1
Enter fullscreen mode Exit fullscreen mode

Now the conditional will skip the workflow step if the actor is not 'dependabot[bot]'. But what if I want to fail the workflow from human contributors? I can inverse the conditional, but I can also add a failure, but running exit 1 like so.

name: dump

on:
  pull_request:

jobs:
  dump:
    runs-on: ubuntu-latest
    steps:
      - name: Dump context
        if: github.actor == 'dependabot[bot]'
        run: exit 1 // added failure
      - name: the dump
        uses: crazy-max/ghaction-dump-context@v1
Enter fullscreen mode Exit fullscreen mode

But keep in mind if you have a conditional, and it's not dependent by any don't want a failure, it'll just skip the job.

I hope you found this helpful. Be sure to keep an eye on the GitHub Changelog for future Action updates, as well as other features.

This is part of my 28 days of Actions series. To get notified of more GitHub Action tips, follow the GitHub organization right here on Dev. Learn how to build action with Node.js

Discussion (1)

Collapse
nisevi profile image
Nicolas Sebastian Vidal

Nice! I still feel is a bit hacky, but! I really like how you have solved the inconvenience GitHub has created for all of us using dependabot and integrating with third-party services. In my case, it is the upload of coverage being sent to codecov what started to fail. I can live without the codecoverage not being sent to codecov on every new PR that is created by the bot, so that will be it! haha Thank you!