Skip to content

fix: boolean comparison gotcha in github action expressions #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fredbi merged 1 commit into from
Dec 12, 2025
Merged

fix: boolean comparison gotcha in github action expressions #54

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 27 additions & 6 deletions .claude/skills/github-actions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -427,12 +427,33 @@ Brief description of what the action does.

## Common Gotchas

1. **Expression evaluation in descriptions**: Don't use `${{ }}` in action.yml description fields
2. **Race conditions**: Always use optimistic execution + error handling, never check-then-act
3. **Secret exposure**: Never use `secrets[inputs.name]` - always use explicit secret parameters
4. **Branch deletion**: Use `wait-pending-jobs` before merging to prevent failures in non-required jobs
5. **Idempotency**: `gh pr merge --auto` is NOT idempotent - handle "Merge already in progress" error
6. **TOCTOU vulnerabilities**: State can change between check and action - handle at runtime
1. **Boolean input comparisons**: GitHub Actions inputs are strongly typed, with no "JS-like" truthy logic
```yaml
# ❌ WRONG - Boolean true is NOT equal to string 'true'
on:
workflow_call:
inputs:
enable-feature:
type: boolean
default: true

jobs:
my-job:
if: ${{ inputs.enable-feature == 'true' }} # FALSE when input is boolean true!

# ✅ CORRECT - Handle both boolean and string values
if: ${{ inputs.enable-feature == 'true' || inputs.enable-feature == true }}

# Note: In bash, this works fine because bash converts to string:
if [[ '${{ inputs.enable-feature }}' == 'true' ]]; then # Works in bash
```

2. **Expression evaluation in descriptions**: Don't use `${{ }}` in action.yml description fields
3. **Race conditions**: Always use optimistic execution + error handling, never check-then-act
4. **Secret exposure**: Never use `secrets[inputs.name]` - always use explicit secret parameters
5. **Branch deletion**: Use `wait-pending-jobs` before merging to prevent failures in non-required jobs
6. **Idempotency**: `gh pr merge --auto` is NOT idempotent - handle "Merge already in progress" error
7. **TOCTOU vulnerabilities**: State can change between check and action - handle at runtime

## Testing Workflows

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/auto-merge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ jobs:
contents: write
pull-requests: write
runs-on: ubuntu-latest
if: ${{ inputs.enable-organization-bot == 'true' && github.event.pull_request.user.login == inputs.organization-bot }}
if: ${{ (inputs.enable-organization-bot == 'true' || inputs.enable-organization-bot == true) && github.event.pull_request.user.login == inputs.organization-bot }}
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down