sync-test: skip when required connector secret is empty

robert-chiniquy · robert-chiniquy · commit cd14f54c12f5 · 2026-05-22T09:34:43.000-07:00
Add an optional 'required-secrets' input listing env var names that must be
non-empty for the test to run. If any are empty the action logs a skip
notice and exits 0 instead of failing on a missing-credential side effect
(empty grants, jq exit-status failure, etc.).

Connectors opt in by setting the input in their workflow:

  - uses: ConductorOne/github-workflows/actions/sync-test@v3
    with:
      connector: ./baton-foo
      baton-entitlement: 'role:owner:assigned'
      baton-principal: 'user@example.com'
      required-secrets: BATON_FOO_TOKEN

Existing callers (no new input) behave exactly as before.
diff --git a/actions/sync-test/action.yaml b/actions/sync-test/action.yaml
@@ -18,6 +18,17 @@ inputs:
   sleep:
     description: 'Sleep time in seconds to wait after each write operation. If not provided, no sleep will be performed.'
     required: false
+  required-secrets:
+    description: |
+      Comma- or newline-separated list of env var names that must be non-empty for
+      this test to run. If any are empty (e.g. the workflow could not pull a fork
+      secret, or the org secret has not been provisioned yet), the action logs a
+      skip notice and exits 0 instead of failing on a missing-credential side
+      effect (no grants returned, empty token, etc.).
+
+      Example:
+        required-secrets: BATON_NETLIFY_ACCESS_TOKEN
+    required: false
 
 runs:
   using: "composite"
@@ -33,5 +44,6 @@ runs:
         BATON_PRINCIPAL_TYPE: ${{ inputs.baton-principal-type }}
         BATON: baton
         SLEEP: ${{ inputs.sleep }}
+        REQUIRED_SECRETS: ${{ inputs.required-secrets }}
       run: ${{ github.action_path }}/grant-revoke.sh
       shell: bash
diff --git a/actions/sync-test/grant-revoke.sh b/actions/sync-test/grant-revoke.sh
@@ -16,6 +16,20 @@ if ! command -v $BATON &> /dev/null; then
   exit 1
 fi
 
+# If required-secrets input was provided, skip the test when any listed env
+# var is empty. This unblocks PRs from forks or repos whose org secret has
+# not been provisioned yet — running the binary without credentials yields
+# empty grants, which then fails the jq exit-status assertion below.
+if [ -n "${REQUIRED_SECRETS:-}" ]; then
+  # Normalize: split on comma or whitespace; iterate non-empty tokens.
+  for name in ${REQUIRED_SECRETS//,/ }; do
+    if [ -z "${!name:-}" ]; then
+      echo "::notice title=sync-test skipped::required secret $name is empty; skipping connector sync test"
+      exit 0
+    fi
+  done
+fi
+
 # Error on unbound variables now that we've set BATON
 set -u
 
