From e053d3172fda4b6d2ef3e0174fdf850069626bbe Mon Sep 17 00:00:00 2001 From: kolaente Date: Wed, 27 May 2026 17:02:56 +0200 Subject: [PATCH] fix(ci): escape ${{ secrets.* }} mention in release-binaries description MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit GitHub's action manifest parser evaluates `${{ ... }}` expressions inside `description:` block scalars, and `secrets` isn't a valid context in a composite action — so the literal example text in the docstring caused manifest validation to fail before any step ran. --- .github/actions/release-binaries/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/release-binaries/action.yml b/.github/actions/release-binaries/action.yml index 33e944d36..c69481a88 100644 --- a/.github/actions/release-binaries/action.yml +++ b/.github/actions/release-binaries/action.yml @@ -5,7 +5,7 @@ description: | Derives every per-project path, cache key, artifact name, and S3 target from the `project` input. Callers only need to provide the project name, the raw `git describe` value, and pass through the GPG/S3 secrets as - inputs (composite actions can't read `${{ secrets.* }}` directly). + inputs (composite actions can't read the `secrets` context directly). inputs: project: @@ -14,8 +14,8 @@ inputs: release-version: description: 'Raw git describe value (e.g. v1.2.3 or a sha). Use "" or "main" for unstable builds.' required: true - # Secrets — composite actions can't read `${{ secrets.* }}` directly, so the - # caller threads them through as inputs. + # Secrets — composite actions can't read the `secrets` context directly, so + # the caller threads them through as inputs. gpg-passphrase: required: true gpg-sign-key: