dependabot-originating builds fail due to lack of secrets · trinodb/trino#28176

(2 留言) (0 反應) (0 負責人)Java (9,113 star) (2,678 fork)batch import

good first issuemaintenancetest

描述

There is a problem with dependabot-initiated PR builds. The build attempt to run jobs requiring secrets and fails as the secrets are not found Example: https://github.com/trinodb/trino/actions/runs/21819342270/job/62948556703?pr=28175 (#28175)

My understanding is that dependabot-originated flows have access to repo vars, but they don't see repo secrets except those configured for dependabot itself. Given job conditions being has-var || has-secret, this leads to build failures.

proposed solution

Change job conditions to be "(has-var && !dependabot-originated) || has-secret"

貢獻者指南

技術棧: github actions
領域: ci cddevopsbuild system
議題類型: bug
難度: 3
預計時間: 1-3 hours
活動狀態: fresh
清晰度: clear
前置要求: Basic GitHub ActionsYAML syntaxUnderstanding of CI secrets
新手友善度: 70
研究方向: Examine the CI workflow file at .github/workflows/ci.yml, specifically the job condition on line 587 (has var || has secret). Understand how dependabot originating PRs behave regarding secrets. The proposed fix changes the condition to (has var && !dependabot originated) || has secret. Also review the example failing run linked in the issue to confirm the error.