fix(ci): move secret-scanner Cargo.toml gate from job-level if: to step-level#25
Merged
Merged
Conversation
…ep-level
`secret-scanner.yml` has had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds with `conclusion=failure` and zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist; `gh workflow view` returns the file cleanly.
## Root cause
The `rust-secrets` job has a job-level `if:` clause:
```yaml
rust-secrets:
runs-on: ubuntu-latest
if: hashFiles('**/Cargo.toml') != ''
```
GitHub Actions does not support `hashFiles()` in **job-level** `if:` conditions. The docs say `hashFiles` is "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference.
## Fix
Mirrors hyperpolymath/stapeln#36. Removes the job-level `if:` line and adds a step-level guard at the top of the existing run block:
```bash
if ! find . -name Cargo.toml -not -path './target/*' -print -quit | grep -q .; then
echo "No Cargo.toml found — skipping Rust secrets check"
exit 0
fi
```
Same semantics (skip when no `Cargo.toml`), but at a context where the expression works.
After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
secret-scanner.ymlhas had 0 successful runs since creation across all estate consumers — every run completes in 0 seconds withconclusion=failureand zero jobs spawned (GitHub Actions startup_failure). YAML is syntactically valid; both action SHAs exist;gh workflow viewreturns the file cleanly.Root cause
The
rust-secretsjob has a job-levelif:clause:GitHub Actions does not support
hashFiles()in job-levelif:conditions. The docs sayhashFilesis "available in the runtime environment when steps are running" — i.e. step-level only. At job-eligibility time the expression evaluator rejects the workflow, no jobs are scheduled, the run is marked as a failed startup. Wrapping in ${{ }} makes no difference.Fix
Mirrors hyperpolymath/stapeln#36. Removes the job-level
if:line and adds a step-level guard at the top of the existing run block:Same semantics (skip when no
Cargo.toml), but at a context where the expression works.After this fix, the Secret Scanner workflow actually runs trufflehog + gitleaks + (conditionally) rust-secrets as designed.