Check for secrets being present at GitHub workflows (#5973)

koppor · web-flow · commit 080816822066 · 2020-03-22T23:47:34.000+01:00
diff --git a/.github/workflows/check-outdated-dependencies.yml b/.github/workflows/check-outdated-dependencies.yml
@@ -1,6 +1,6 @@
 name: Check dependencies
 
-on: 
+on:
   schedule:
     - cron:  '0 0 * * TUE' # Run every Tuesday (after dependabot, which runs Monday)
 
@@ -9,21 +9,18 @@ jobs:
     name: Check dependencies
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout source
-      uses: actions/checkout@v1
-      with:
-        depth: 1
-        submodules: false
-    - name: Set up JDK
-      uses: actions/setup-java@v1
-      with:
-        java-version: 14
-    - name: Look for outdated dependencies
-      run: ./gradlew -q checkOutdatedDependencies
-    - name: Report issues
-      if: failure()
-      uses: JasonEtco/create-an-issue@master
-      env: 
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        filename: .github/outdatedDependencies.md
+      - name: Checkout source
+        uses: actions/checkout@v2
+      - name: Set up JDK
+        uses: actions/setup-java@v1
+        with:
+          java-version: 14
+      - name: Look for outdated dependencies
+        run: ./gradlew -q checkOutdatedDependencies
+      - name: Report issues
+        if: failure()
+        uses: JasonEtco/create-an-issue@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          filename: .github/outdatedDependencies.md
diff --git a/.github/workflows/cleanup_pr.yml b/.github/workflows/cleanup_pr.yml
@@ -9,15 +9,28 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Extract branch name
-      id: extract_branch
-      run: |
-        echo "##[set-output name=branch;]$(echo ${{ github.event.pull_request.head.ref }})"
-    - name: Delete folder on builds.jabref.org
-      uses: appleboy/ssh-action@v0.0.6
-      with:
-        script: rm -rf /var/www/builds.jabref.org/www/${{ steps.extract_branch.outputs.branch }}
-        host: build-upload.jabref.org
-        port: 9922
-        username: jrrsync
-        key: ${{ secrets.buildJabRefPrivateKey }}
+      - name: Check secrets presence
+        id: checksecrets
+        shell: bash
+        run: |
+          if [ "$BUILDJABREFPRIVATEKEY" == "" ]; then
+            echo ::set-output name=secretspresent::false
+          else
+            echo ::set-output name=secretspresent::true
+          fi
+        env:
+          BUILDJABREFPRIVATEKEY: ${{ secrets.buildJabRefPrivateKey }}
+      - name: Extract branch name
+        id: extract_branch
+        if: ${{ steps.checksecrets.outputs.secretspresent }}
+        run: |
+          echo "##[set-output name=branch;]$(echo ${{ github.event.pull_request.head.ref }})"
+      - name: Delete folder on builds.jabref.org
+        if: ${{ steps.checksecrets.outputs.secretspresent }}
+        uses: appleboy/ssh-action@v0.0.6
+        with:
+          script: rm -rf /var/www/builds.jabref.org/www/${{ steps.extract_branch.outputs.branch }}
+          host: build-upload.jabref.org
+          port: 9922
+          username: jrrsync
+          key: ${{ secrets.buildJabRefPrivateKey }}
diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
@@ -93,6 +93,17 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build]
     steps:
+      - name: Check secrets presence
+        id: checksecrets
+        shell: bash
+        run: |
+          if [ "$BUILDJABREFPRIVATEKEY" == "" ]; then
+            echo ::set-output name=secretspresent::false
+          else
+            echo ::set-output name=secretspresent::true
+          fi
+        env:
+          BUILDJABREFPRIVATEKEY: ${{ secrets.buildJabRefPrivateKey }}
       - name: Checkout source
         uses: actions/checkout@v2
       - name: Fetch all history for all tags and branches
@@ -121,6 +132,7 @@ jobs:
           path: build/distribution/
       - name: Deploy to builds.jabref.org
         id: deploy
+        if: ${{ steps.checksecrets.outputs.secretspresent }}
         uses: Pendect/action-rsyncer@v1.1.0
         env:
           DEPLOY_KEY: ${{ secrets.buildJabRefPrivateKey }}
diff --git a/.github/workflows/snap.yml b/.github/workflows/snap.yml
@@ -11,6 +11,17 @@ jobs:
     name: Create snapcraft image
 
     steps:
+      - name: Check secrets presence
+        id: checksecrets
+        shell: bash
+        run: |
+          if [ "SNAPCRAFT_LOGIN_FILE" == "" ]; then
+            echo ::set-output name=secretspresent::false
+          else
+            echo ::set-output name=secretspresent::true
+          fi
+        env:
+          SNAPCRAFT_LOGIN_FILE: ${{ secrets.SNAPCRAFT_LOGIN_FILE }}
       - name: Checkout source
         uses: actions/checkout@v2
       # The image relies on https://builds.jabref.org/master/JabRef-5.0-portable_linux.tar.gz^
@@ -19,6 +30,7 @@ jobs:
         uses: jhenstridge/snapcraft-build-action@v1
         id: snapcraft
       - name: Build snap (2) Upload snap
+        if: ${{ steps.checksecrets.outputs.secretspresent }}
         uses: jhenstridge/snapcraft-publish-action@v1
         with:
           store_login: ${{ secrets.SNAPCRAFT_LOGIN_FILE }}
diff --git a/.github/workflows/tests-fetchers.yml b/.github/workflows/tests-fetchers.yml
@@ -30,10 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout source
-        uses: actions/checkout@v1
-        with:
-          depth: 1
-          submodules: false
+        uses: actions/checkout@v2
       - name: Set up JDK
         uses: actions/setup-java@v1
         with:
diff --git a/.github/workflows/tests-oracle.yml b/.github/workflows/tests-oracle.yml
@@ -26,30 +26,42 @@ jobs:
     name: Oracle tests
     runs-on: ubuntu-latest
     steps:
+      - name: Check secrets presence
+        id: checksecrets
+        shell: bash
+        run: |
+          if [ "CCRYPT" == "" ]; then
+            echo ::set-output name=secretspresent::false
+          else
+            echo ::set-output name=secretspresent::true
+          fi
+        env:
+          SNAPCRAFT_LOGIN_FILE: ${{ secrets.CCRYPT }}
       - name: Checkout source
-        uses: actions/checkout@v1
-        with:
-          depth: 1
-          submodules: false
+        uses: actions/checkout@v2
       - name: Set up JDK
+        if: ${{ steps.checksecrets.outputs.secretspresent }}
         uses: actions/setup-java@v1
         with:
           java-version: 14
-      - uses: actions/cache@v1
-        name: Restore gradle chache
+      - name: Restore gradle chache
+        if: ${{ steps.checksecrets.outputs.secretspresent }}
+        uses: actions/cache@v1
         with:
           path: ~/.gradle/caches
           key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
           restore-keys: |
             ${{ runner.OS }}-gradle-${{ env.cache-name }}-
             ${{ runner.OS }}-gradle-
             ${{ runner.OS }}-
-      - uses: actions/cache@v1
-        name: Restore gradle wrapper
+      - name: Restore gradle wrapper
+        if: ${{ steps.checksecrets.outputs.secretspresent }}
+        uses: actions/cache@v1
         with:
           path: ~/.gradle/wrapper
           key: ${{ runner.os }}-gradle-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }}
       - name: Start Oracle XE
+        if: ${{ steps.checksecrets.outputs.secretspresent }}
         run: |
           mkdir ~/oracle-xe || true
           cd ~/oracle-xe
@@ -71,6 +83,7 @@ jobs:
         env:
           CCRYPT: ${{ secrets.CCRYPT }}
       - name: Run database test
+        if: ${{ steps.checksecrets.outputs.secretspresent }}
         run: ./gradlew databaseTest --rerun-tasks
         env:
           DBMS: "oracle"
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -170,6 +170,17 @@ jobs:
         # needed because the postgres container does not provide a healthcheck
         options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
     steps:
+      - name: Check secrets presence
+        id: checksecrets
+        shell: bash
+        run: |
+          if [ "CODECOV_TOKEN" == "" ]; then
+            echo ::set-output name=secretspresent::false
+          else
+            echo ::set-output name=secretspresent::true
+          fi
+        env:
+          SNAPCRAFT_LOGIN_FILE: ${{ secrets.CODECOV_TOKEN }}
       - name: Checkout source
         uses: actions/checkout@v2
       - name: Set up JDK
@@ -191,6 +202,7 @@ jobs:
           path: ~/.gradle/wrapper
           key: ${{ runner.os }}-gradle-${{ hashFiles('gradle/wrapper/gradle-wrapper.properties') }}
       - name: Update test coverage metrics
+        if: ${{ steps.checksecrets.outputs.secretspresent }}
         run: xvfb-run --auto-servernum ./gradlew jacocoTestReport && bash <(curl -s https://codecov.io/bash);
         env:
           CI: "false" # we pretend to run locally - even if tests fail on the CI, they count towards test coverage
diff --git a/codecov.yml b/codecov.yml
@@ -5,5 +5,5 @@ coverage:
     patch: false
     project:
       default:
-        threshold: 0.005
+        threshold: 0.01
 comment: false
