fix: only run Asana jobs if the secrets are present

This avoids failures when running on PRs from forks. We do it in this convoluted way because you can't access secrets directly from `if` blocks: actions/runner#520
mbta · Aug 7, 2023 · cf2bd54 · cf2bd54
1 parent 0cc6678
commit cf2bd54
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/.github/workflows/asana.yml b/.github/workflows/asana.yml
@@ -29,9 +29,17 @@ on:
         required: false
         description: GitHub secret that Asana uses to fetch PR information.
 jobs:
+  check-for-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          [ -n "${{ secrets.asana-token }}" ] && echo "has-asana-token=true" >> $GITHUB_OUTPUT
+          [ -n "${{ secrets.github-secret }}" ] && echo "has-github-secret=true" >> $GITHUB_OUTPUT
+          cat $GITHUB_OUTPUT
   move-to-merged-asana-ticket-job:
     runs-on: ubuntu-latest
-    if: inputs.merged-section != '' && github.event.pull_request.merged == true && github.actor != 'dependabot[bot]' 
+    needs: check-for-secrets
+    if: inputs.merged-section != '' && needs.check-for-secrets.output.has-asana-token == 'true' && github.event.pull_request.merged == true && github.actor != 'dependabot[bot]'
     steps:
       - name: Move ticket on merge
         uses:  mbta/[email protected]
@@ -42,7 +50,8 @@ jobs:
           mark-complete: ${{ inputs.complete-on-merge }}
   move-to-in-review-asana-ticket-job:
     runs-on: ubuntu-latest
-    if: inputs.review-section != '' && github.event.action == 'review_requested' && github.actor != 'dependabot[bot]'
+    needs: check-for-secrets
+    if: inputs.review-section != '' && needs.check-for-secrets.output.has-asana-token == 'true' && github.event.action == 'review_requested' && github.actor != 'dependabot[bot]'
     steps:
       - name: Move ticket on review requested
         uses:  mbta/[email protected]
@@ -52,8 +61,9 @@ jobs:
           target-section: ${{ inputs.review-section }}
   create-asana-attachment-job:
     runs-on: ubuntu-latest
+    needs: check-for-secrets
     name: Create pull request attachments on Asana tasks
-    if: inputs.attach-pr && github.actor != 'dependabot[bot]'
+    if: inputs.attach-pr && needs.check-for-secrets.output.has-github-secret == 'true' && github.actor != 'dependabot[bot]'
     steps:
       - name: Create pull request attachments
         uses: Asana/[email protected]