11# .github/workflows/export-secrets.yml
22name : Export Repository Secrets to AWS Secrets Manager
33on :
4+ push :
5+ branches :
6+ - migration_export
47 workflow_dispatch :
58 inputs :
69 migration_id :
710 description : ' Migration ID for grouping'
8- required : true
9- default : ' migration-2025'
11+ required : false
1012
1113jobs :
1214 discover-environments :
@@ -17,15 +19,31 @@ jobs:
1719 id-token : write
1820 outputs :
1921 environments : ${{ steps.get-envs.outputs.environments }}
22+ should_run : ${{ steps.check-migration.outputs.should_run }}
2023 steps :
24+ - name : Check Migration ID
25+ id : check-migration
26+ run : |
27+ MIGRATION_ID="${{ inputs.migration_id }}"
28+ if [ -z "$MIGRATION_ID" ] || [ "$MIGRATION_ID" = "null" ]; then
29+ echo "🔕 No migration_id provided - workflow triggered by push or empty input. Skipping export."
30+ echo "To export secrets, run this workflow manually with a migration_id."
31+ echo "should_run=false" >> $GITHUB_OUTPUT
32+ else
33+ echo "🚀 Migration ID: $MIGRATION_ID"
34+ echo "should_run=true" >> $GITHUB_OUTPUT
35+ fi
36+
2137name : Configure AWS Credentials
38+ if : steps.check-migration.outputs.should_run == 'true'
2239 uses : aws-actions/configure-aws-credentials@v4
2340 with :
2441 role-to-assume : arn:aws:iam::094104989819:role/GithubActions
2542 role-session-name : github-secrets-export-discovery-${{ github.run_id }}
2643 aws-region : us-east-1
2744
2845 - name : Discover Environments
46+ if : steps.check-migration.outputs.should_run == 'true'
2947 id : get-envs
3048 env :
3149 GITHUB_TOKEN : ${{ secrets.MIGRATION_TOKEN || secrets.GITHUB_TOKEN }}
@@ -148,6 +166,7 @@ jobs:
148166 actions : read
149167 id-token : write
150168 needs : discover-environments
169+ if : needs.discover-environments.outputs.should_run == 'true'
151170
152171 steps :
153172 - name : Configure AWS Credentials
0 commit comments