fix(ci): move ACT guards to step level; add guards to security.yml

env context is invalid in job-level if conditions — moved all ACT guards down to individual steps. Also guards docker login + scout in security.yml so act can run the build-only part of that workflow.
2026-06-19 05:11:46 +00:00 · 2026-05-25 21:10:36 +02:00
parent 797183de08
commit f92b95e054
3 changed files with 18 additions and 3 deletions
@@ -120,17 +120,18 @@ jobs:
          retention-days: 1

  merge:
-    if: ${{ !env.ACT }}
    runs-on: ubuntu-latest
    needs: [version-bump, build]
    steps:
      - uses: actions/checkout@v4
+        if: ${{ !env.ACT }}
        with:
          ref: ${{ needs.version-bump.outputs.sha }}
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Download build digests
+        if: ${{ !env.ACT }}
        uses: actions/download-artifact@v4
        with:
          path: /tmp/digests
@@ -138,13 +139,16 @@ jobs:
          merge-multiple: true

      - uses: docker/setup-buildx-action@v3
+        if: ${{ !env.ACT }}

      - uses: docker/login-action@v3
+        if: ${{ !env.ACT }}
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Create and push multi-arch manifest
+        if: ${{ !env.ACT }}
        working-directory: /tmp/digests
        run: |
          VERSION="${{ needs.version-bump.outputs.version }}"
@@ -157,9 +161,11 @@ jobs:
            "${digests[@]}"

      - name: Inspect manifest
+        if: ${{ !env.ACT }}
        run: docker buildx imagetools inspect mauriceboe/trek:latest-pre

      - name: Push git tag
+        if: ${{ !env.ACT }}
        run: |
          VERSION="${{ needs.version-bump.outputs.version }}"
          git config user.name "github-actions[bot]"
@@ -168,6 +174,7 @@ jobs:
          git push origin "v$VERSION"

      - name: Clean up old prerelease tags
+        if: ${{ !env.ACT }}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
@@ -174,15 +174,16 @@ jobs:
          retention-days: 1

  merge:
-    if: ${{ !env.ACT }}
    runs-on: ubuntu-latest
    needs: [version-bump, build]
    steps:
      - uses: actions/checkout@v4
+        if: ${{ !env.ACT }}
        with:
          ref: main

      - name: Download build digests
+        if: ${{ !env.ACT }}
        uses: actions/download-artifact@v4
        with:
          path: /tmp/digests
@@ -190,13 +191,16 @@ jobs:
          merge-multiple: true

      - uses: docker/setup-buildx-action@v3
+        if: ${{ !env.ACT }}

      - uses: docker/login-action@v3
+        if: ${{ !env.ACT }}
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Create and push multi-arch manifest
+        if: ${{ !env.ACT }}
        working-directory: /tmp/digests
        run: |
          VERSION="${{ needs.version-bump.outputs.version }}"
@@ -209,19 +213,21 @@ jobs:
            "${digests[@]}"

      - name: Inspect manifest
+        if: ${{ !env.ACT }}
        run: docker buildx imagetools inspect mauriceboe/trek:latest

  release-helm:
-    if: ${{ !env.ACT }}
    runs-on: ubuntu-latest
    needs: version-bump
    steps:
      - name: Checkout
+        if: ${{ !env.ACT }}
        uses: actions/checkout@v4
        with:
          ref: main

      - name: Publish Helm chart
+        if: ${{ !env.ACT }}
        uses: stefanprodan/helm-gh-pages@v1.7.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -25,11 +25,13 @@ jobs:
          tags: trek:scan

      - uses: docker/login-action@v3
+        if: ${{ !env.ACT }}
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - uses: docker/scout-action@v1
+        if: ${{ !env.ACT }}
        with:
          command: cves
          image: trek:scan