fix: remove secrets from if conditions in publish workflow (#51)

sapientpants · web-flow · commit d0fc255732fd · 2025-08-27T23:17:11.000+02:00
- GitHub Actions doesn't allow secrets in job-level if conditions
- Move secret checks to runtime steps instead
- Add explicit credential checking steps for NPM, Docker, and Slack
- This ensures the workflow runs without syntax errors
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -59,8 +59,19 @@ jobs:
       - name: Build
         run: pnpm build
 
+      - name: Check NPM token
+        id: check-npm
+        run: |
+          if [ -n "${{ secrets.NPM_TOKEN }}" ]; then
+            echo "has_token=true" >> $GITHUB_OUTPUT
+            echo "✅ NPM_TOKEN is configured"
+          else
+            echo "has_token=false" >> $GITHUB_OUTPUT
+            echo "⚠️ NPM_TOKEN is not configured, skipping publish"
+          fi
+
       - name: Publish to NPM
-        if: ${{ secrets.NPM_TOKEN != '' }}
+        if: steps.check-npm.outputs.has_token == 'true'
         run: |
           # Remove private flag if present
           jq 'del(.private)' package.json > tmp.json && mv tmp.json package.json
@@ -118,7 +129,7 @@ jobs:
   docker:
     name: Publish to Docker Hub
     runs-on: ubuntu-latest
-    if: vars.ENABLE_DOCKER_RELEASE == 'true' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != ''
+    if: vars.ENABLE_DOCKER_RELEASE == 'true'
     steps:
       - name: Determine version
         id: version
@@ -133,20 +144,36 @@ jobs:
         with:
           ref: v${{ steps.version.outputs.version }}
 
+      - name: Check Docker credentials
+        id: check-docker
+        run: |
+          if [ -n "${{ secrets.DOCKERHUB_USERNAME }}" ] && [ -n "${{ secrets.DOCKERHUB_TOKEN }}" ]; then
+            echo "has_credentials=true" >> $GITHUB_OUTPUT
+            echo "✅ Docker Hub credentials are configured"
+          else
+            echo "has_credentials=false" >> $GITHUB_OUTPUT
+            echo "⚠️ Docker Hub credentials are not configured, skipping publish"
+            exit 0
+          fi
+
       - name: Set up QEMU
+        if: steps.check-docker.outputs.has_credentials == 'true'
         uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
+        if: steps.check-docker.outputs.has_credentials == 'true'
         uses: docker/setup-buildx-action@v3
 
       - name: Login to Docker Hub
+        if: steps.check-docker.outputs.has_credentials == 'true'
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Extract metadata
         id: meta
+        if: steps.check-docker.outputs.has_credentials == 'true'
         uses: docker/metadata-action@v5
         with:
           images: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}
@@ -157,6 +184,7 @@ jobs:
             type=raw,value=latest
 
       - name: Build and push
+        if: steps.check-docker.outputs.has_credentials == 'true'
         uses: docker/build-push-action@v6
         with:
           context: .
@@ -170,11 +198,21 @@ jobs:
 
   notify:
     name: Notify
-    if: always() && secrets.SLACK_WEBHOOK != ''
+    if: always()
     needs: [npm, docker, github-packages]
     runs-on: ubuntu-latest
     steps:
+      - name: Check Slack webhook
+        id: check-slack
+        run: |
+          if [ -n "${{ secrets.SLACK_WEBHOOK }}" ]; then
+            echo "has_webhook=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_webhook=false" >> $GITHUB_OUTPUT
+          fi
+
       - name: Send Slack notification
+        if: steps.check-slack.outputs.has_webhook == 'true'
         uses: slackapi/slack-github-action@v2
         with:
           payload: |
