avoid secrets in if

HasanJaved-Developer · HasanJaved-Developer · commit a0d1bfc06329 · 2025-10-09T20:59:05.000+05:00
diff --git a/.github/workflows/docker-compose-ci.yml b/.github/workflows/docker-compose-ci.yml
@@ -3,10 +3,10 @@ name: docker-compose-ci
 on:
   workflow_dispatch:
   push:
-    branches: ["master"]
+    branches: ["**"]
     tags: ["v*.*.*"]
   pull_request:
-    branches: ["master"]
+    branches: ["**"]
 
 permissions:
   contents: read
@@ -19,7 +19,7 @@ concurrency:
 
 env:
   REPO_SLUG: centralized-logging
-  DOCKERHUB_NAMESPACE: ""
+  DOCKERHUB_NAMESPACE: ""               # set to mirror to Docker Hub or leave empty
   PLATFORMS: linux/amd64,linux/arm64
 
 jobs:
@@ -55,6 +55,10 @@ jobs:
     if: >
       github.event_name != 'pull_request' &&
       (startsWith(github.ref, 'refs/heads/master') || startsWith(github.ref, 'refs/tags/v'))
+    env:
+      # Make secrets available as env so we can safely reference env.* in `if:`
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -106,11 +110,11 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: (Optional) Login to Docker Hub
-        if: ${{ env.DOCKERHUB_NAMESPACE != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
+        if: ${{ env.DOCKERHUB_NAMESPACE != '' && env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_TOKEN }}
 
       - name: Restore build cache
         uses: actions/cache@v4
@@ -143,7 +147,7 @@ jobs:
           mv /tmp/.buildx-cache-new /tmp/.buildx-cache
 
       - name: Mirror to Docker Hub (optional)
-        if: ${{ env.DOCKERHUB_NAMESPACE != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
+        if: ${{ env.DOCKERHUB_NAMESPACE != '' && env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }}
         run: |
           set -euo pipefail
           mirror() { local svc="$1"; shift; for t in "$@"; do tg="$(basename "$t")"; \
@@ -153,4 +157,4 @@ jobs:
           mapfile -t USER_TAGS <<< "${{ steps.meta_user.outputs.tags }}"
           mapfile -t API_TAGS  <<< "${{ steps.meta_api.outputs.tags }}"
           mapfile -t WEB_TAGS  <<< "${{ steps.meta_web.outputs.tags }}"
-          mirror userapi "${USER_TAGS[@]}"; mirror api "${API_TAGS[@]}"; mirror web "${WEB_TAGS[@]}"
+          mirror userapi "${USER_TAGS[@]}"; mirror api "${API_TAGS[@]}"; mirror web "${WEB_TAGS[@]}"
