fix(ci): move ACT guards to step level; add guards to security.yml

env context is invalid in job-level if conditions — moved all ACT guards down to individual steps. Also guards docker login + scout in security.yml so act can run the build-only part of that workflow.
2026-06-19 13:21:46 +00:00 · 2026-05-25 21:10:36 +02:00
parent 797183de08
commit f92b95e054
3 changed files with 18 additions and 3 deletions
@@ -120,17 +120,18 @@ jobs:
          retention-days: 1
  merge:
    if: ${{ !env.ACT }}
    runs-on: ubuntu-latest
    needs: [version-bump, build]
    steps:
      - uses: actions/checkout@v4
        if: ${{ !env.ACT }}
        with:
          ref: ${{ needs.version-bump.outputs.sha }}
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Download build digests
        if: ${{ !env.ACT }}
        uses: actions/download-artifact@v4
        with:
          path: /tmp/digests
@@ -138,13 +139,16 @@ jobs:
          merge-multiple: true
      - uses: docker/setup-buildx-action@v3
        if: ${{ !env.ACT }}
      - uses: docker/login-action@v3
        if: ${{ !env.ACT }}
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Create and push multi-arch manifest
        if: ${{ !env.ACT }}
        working-directory: /tmp/digests
        run: |
          VERSION="${{ needs.version-bump.outputs.version }}"
@@ -157,9 +161,11 @@ jobs:
            "${digests[@]}"
      - name: Inspect manifest
        if: ${{ !env.ACT }}
        run: docker buildx imagetools inspect mauriceboe/trek:latest-pre
      - name: Push git tag
        if: ${{ !env.ACT }}
        run: |
          VERSION="${{ needs.version-bump.outputs.version }}"
          git config user.name "github-actions[bot]"
@@ -168,6 +174,7 @@ jobs:
          git push origin "v$VERSION"
      - name: Clean up old prerelease tags
        if: ${{ !env.ACT }}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
@@ -174,15 +174,16 @@ jobs:
          retention-days: 1
  merge:
    if: ${{ !env.ACT }}
    runs-on: ubuntu-latest
    needs: [version-bump, build]
    steps:
      - uses: actions/checkout@v4
        if: ${{ !env.ACT }}
        with:
          ref: main
      - name: Download build digests
        if: ${{ !env.ACT }}
        uses: actions/download-artifact@v4
        with:
          path: /tmp/digests
@@ -190,13 +191,16 @@ jobs:
          merge-multiple: true
      - uses: docker/setup-buildx-action@v3
        if: ${{ !env.ACT }}
      - uses: docker/login-action@v3
        if: ${{ !env.ACT }}
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Create and push multi-arch manifest
        if: ${{ !env.ACT }}
        working-directory: /tmp/digests
        run: |
          VERSION="${{ needs.version-bump.outputs.version }}"
@@ -209,19 +213,21 @@ jobs:
            "${digests[@]}"
      - name: Inspect manifest
        if: ${{ !env.ACT }}
        run: docker buildx imagetools inspect mauriceboe/trek:latest
  release-helm:
    if: ${{ !env.ACT }}
    runs-on: ubuntu-latest
    needs: version-bump
    steps:
      - name: Checkout
        if: ${{ !env.ACT }}
        uses: actions/checkout@v4
        with:
          ref: main
      - name: Publish Helm chart
        if: ${{ !env.ACT }}
        uses: stefanprodan/helm-gh-pages@v1.7.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -25,11 +25,13 @@ jobs:
          tags: trek:scan
      - uses: docker/login-action@v3
        if: ${{ !env.ACT }}
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - uses: docker/scout-action@v1
        if: ${{ !env.ACT }}
        with:
          command: cves
          image: trek:scan