Skip to content

feat(ci): honor job-level if: conditions#379

Merged
zoetaka38 merged 1 commit into
mainfrom
fix/ci-job-level-if
Jul 7, 2026
Merged

feat(ci): honor job-level if: conditions#379
zoetaka38 merged 1 commit into
mainfrom
fix/ci-job-level-if

Conversation

@zoetaka38

Copy link
Copy Markdown
Contributor

Step-level if: was evaluated but job-level if: was ignored, so a gated job (e.g. if: github.ref_name == 'main' on a deploy job) always ran.

Carry the job's if into the IR and evaluate it in the run loop: a false condition marks the whole job skipped (status completed / conclusion skipped), like GitHub. The needs-skip and if-skip paths now share one skipJob helper.

Verified live with a full workflow exercising matrix + actions/checkout + env + ${{ }} expressions + needs + job-level if + masked secrets:

test (18)   success
test (20)   success
deploy      success   # if: github.ref_name == 'main' -> ran; $DEPLOY_KEY masked to ***
skipme      skipped   # if: github.ref_name == 'nope' -> skipped (was wrongly 'success' before)
run         success

Step-level `if:` was evaluated but job-level `if:` was ignored, so a gated job
(e.g. `if: github.ref_name == 'main'` on a deploy job) always ran. Carry the
job's `if` into the IR and evaluate it in the run loop: a false condition marks
the whole job skipped (status completed / conclusion skipped), like GitHub.

The needs-skip and if-skip paths now share one skipJob helper.

Verified live: a `deploy` job with `if: github.ref_name == 'main'` runs on main
while a sibling with `if: github.ref_name == 'nope'` is skipped; a full workflow
exercising matrix + checkout + env + expressions + needs + job-if + masked
secrets all behave correctly.
@orange-codens

orange-codens Bot commented Jul 7, 2026

Copy link
Copy Markdown

🍊 Orange Codens レビュー

🔒 セキュリティ: 本PRはジョブレベルの if: 条件をIRに持ち運び、実行ループで評価する機能追加および skipJob のダブりコードをヘルパーに切り出すリファクタリングです。diff 内で新規に引入される脆弱性経路は確認されませんでした。expression evaluator は既存のステップレベル if: 評価で既使用であり、新規に attack surface が広がっているわけではありません。また、EvalContextsecretsCtx を含める構成は GitHub Actions の spec では job-level if: が secrets にアクセス不可であるため機能的に不正確ですが、本変更で新規に導入されたものではなく、かつワークフローファイルの書き込み権限を持つユーザーに限定されるため、本 diff 内での security finding として推奨しません。

指摘事項はありません。✨

head: 74bfc4f | 🍊 Reviewed by Orange Codens — AI code review & security audit

@zoetaka38
zoetaka38 merged commit f5abb66 into main Jul 7, 2026
20 checks passed
@zoetaka38
zoetaka38 deleted the fix/ci-job-level-if branch July 7, 2026 04:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant