diff --git a/compiler/engine.go b/compiler/engine.go
index 9addf7a79..f2ff2a33e 100644
--- a/compiler/engine.go
+++ b/compiler/engine.go
@@ -71,10 +71,10 @@ type Engine interface {
 
 	// ExpandStages defines a function that injects the template
 	// for each templated step in every stage in a yaml configuration.
-	ExpandStages(*yaml.Build, map[string]*yaml.Template) (*yaml.Build, error)
+	ExpandStages(*yaml.Build, map[string]*yaml.Template, *pipeline.RuleData) (*yaml.Build, error)
 	// ExpandSteps defines a function that injects the template
 	// for each templated step in a yaml configuration.
-	ExpandSteps(*yaml.Build, map[string]*yaml.Template) (*yaml.Build, error)
+	ExpandSteps(*yaml.Build, map[string]*yaml.Template, *pipeline.RuleData) (*yaml.Build, error)
 
 	// Init Compiler Interface Functions
 
diff --git a/compiler/native/compile.go b/compiler/native/compile.go
index 4b80e3365..a36ddc113 100644
--- a/compiler/native/compile.go
+++ b/compiler/native/compile.go
@@ -155,7 +155,7 @@ func (c *client) CompileLite(v interface{}, template, substitute bool, localTemp
 		switch {
 		case len(p.Stages) > 0:
 			// inject the templates into the steps
-			p, err = c.ExpandStages(p, templates)
+			p, err = c.ExpandStages(p, templates, nil)
 			if err != nil {
 				return nil, _pipeline, err
 			}
@@ -169,7 +169,7 @@ func (c *client) CompileLite(v interface{}, template, substitute bool, localTemp
 			}
 		case len(p.Steps) > 0:
 			// inject the templates into the steps
-			p, err = c.ExpandSteps(p, templates)
+			p, err = c.ExpandSteps(p, templates, nil)
 			if err != nil {
 				return nil, _pipeline, err
 			}
@@ -307,7 +307,7 @@ func (c *client) compileSteps(p *yaml.Build, _pipeline *library.Pipeline, tmpls
 	}
 
 	// inject the templates into the steps
-	p, err = c.ExpandSteps(p, tmpls)
+	p, err = c.ExpandSteps(p, tmpls, r)
 	if err != nil {
 		return nil, _pipeline, err
 	}
@@ -404,7 +404,7 @@ func (c *client) compileStages(p *yaml.Build, _pipeline *library.Pipeline, tmpls
 	}
 
 	// inject the templates into the stages
-	p, err = c.ExpandStages(p, tmpls)
+	p, err = c.ExpandStages(p, tmpls, r)
 	if err != nil {
 		return nil, _pipeline, err
 	}
diff --git a/compiler/native/expand.go b/compiler/native/expand.go
index e17d03161..4256de7e8 100644
--- a/compiler/native/expand.go
+++ b/compiler/native/expand.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/go-vela/types/constants"
+	"github.com/go-vela/types/pipeline"
 
 	"github.com/go-vela/server/compiler/registry"
 	"github.com/go-vela/server/compiler/template/native"
@@ -22,7 +23,7 @@ import (
 
 // ExpandStages injects the template for each
 // templated step in every stage in a yaml configuration.
-func (c *client) ExpandStages(s *yaml.Build, tmpls map[string]*yaml.Template) (*yaml.Build, error) {
+func (c *client) ExpandStages(s *yaml.Build, tmpls map[string]*yaml.Template, r *pipeline.RuleData) (*yaml.Build, error) {
 	if len(tmpls) == 0 {
 		return s, nil
 	}
@@ -30,7 +31,7 @@ func (c *client) ExpandStages(s *yaml.Build, tmpls map[string]*yaml.Template) (*
 	// iterate through all stages
 	for _, stage := range s.Stages {
 		// inject the templates into the steps for the stage
-		p, err := c.ExpandSteps(&yaml.Build{Steps: stage.Steps, Secrets: s.Secrets, Services: s.Services, Environment: s.Environment}, tmpls)
+		p, err := c.ExpandSteps(&yaml.Build{Steps: stage.Steps, Secrets: s.Secrets, Services: s.Services, Environment: s.Environment}, tmpls, r)
 		if err != nil {
 			return nil, err
 		}
@@ -46,7 +47,7 @@ func (c *client) ExpandStages(s *yaml.Build, tmpls map[string]*yaml.Template) (*
 
 // ExpandSteps injects the template for each
 // templated step in a yaml configuration.
-func (c *client) ExpandSteps(s *yaml.Build, tmpls map[string]*yaml.Template) (*yaml.Build, error) {
+func (c *client) ExpandSteps(s *yaml.Build, tmpls map[string]*yaml.Template, r *pipeline.RuleData) (*yaml.Build, error) {
 	if len(tmpls) == 0 {
 		return s, nil
 	}
@@ -75,6 +76,22 @@ func (c *client) ExpandSteps(s *yaml.Build, tmpls map[string]*yaml.Template) (*y
 			return s, fmt.Errorf("missing template source for template %s in pipeline for step %s", step.Template.Name, step.Name)
 		}
 
+		// if ruledata is nil (CompileLite), continue with expansion
+		if r != nil {
+			// form a one-step pipeline to prep for purge check
+			check := &yaml.StepSlice{step}
+			pipeline := &pipeline.Build{
+				Steps: *check.ToPipeline(),
+			}
+
+			pipeline = pipeline.Purge(r)
+
+			// if step purged, do not proceed with expansion
+			if len(pipeline.Steps) == 0 {
+				continue
+			}
+		}
+
 		// Create some default global environment inject vars
 		// these are used below to overwrite to an empty
 		// map if they should not be injected into a container
diff --git a/compiler/native/expand_test.go b/compiler/native/expand_test.go
index ae3fc32b7..a8c232a71 100644
--- a/compiler/native/expand_test.go
+++ b/compiler/native/expand_test.go
@@ -12,6 +12,7 @@ import (
 	"testing"
 
 	"github.com/go-vela/types/library"
+	"github.com/go-vela/types/pipeline"
 	"github.com/go-vela/types/raw"
 	"github.com/go-vela/types/yaml"
 	"github.com/google/go-cmp/cmp"
@@ -145,7 +146,7 @@ func TestNative_ExpandStages(t *testing.T) {
 		t.Errorf("Creating new compiler returned err: %v", err)
 	}
 
-	build, err := compiler.ExpandStages(&yaml.Build{Stages: stages, Services: yaml.ServiceSlice{}, Environment: raw.StringSliceMap{}}, tmpls)
+	build, err := compiler.ExpandStages(&yaml.Build{Stages: stages, Services: yaml.ServiceSlice{}, Environment: raw.StringSliceMap{}}, tmpls, new(pipeline.RuleData))
 	if err != nil {
 		t.Errorf("ExpandStages returned err: %v", err)
 	}
@@ -321,7 +322,7 @@ func TestNative_ExpandSteps(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			build, err := compiler.ExpandSteps(&yaml.Build{Steps: steps, Services: yaml.ServiceSlice{}, Environment: globalEnvironment}, test.tmpls)
+			build, err := compiler.ExpandSteps(&yaml.Build{Steps: steps, Services: yaml.ServiceSlice{}, Environment: globalEnvironment}, test.tmpls, new(pipeline.RuleData))
 			if err != nil {
 				t.Errorf("ExpandSteps_Type%s returned err: %v", test.name, err)
 			}
@@ -385,6 +386,11 @@ func TestNative_ExpandStepsMulti(t *testing.T) {
 			Source: "github.example.com/bar/foo/maven.yml",
 			Type:   "github",
 		},
+		"npm": {
+			Name:   "npm",
+			Source: "github.example.com/foo/bar/gradle.yml",
+			Type:   "github",
+		},
 	}
 
 	steps := yaml.StepSlice{
@@ -409,6 +415,27 @@ func TestNative_ExpandStepsMulti(t *testing.T) {
 					"pull_policy": "pull: true",
 				},
 			},
+			Ruleset: yaml.Ruleset{
+				If: yaml.Rules{
+					Branch: []string{"main"},
+				},
+			},
+		},
+		&yaml.Step{
+			Name: "sample",
+			Template: yaml.StepTemplate{
+				Name: "npm",
+				Variables: map[string]interface{}{
+					"image":       "openjdk:latest",
+					"environment": "{ GRADLE_USER_HOME: .gradle, GRADLE_OPTS: -Dorg.gradle.daemon=false -Dorg.gradle.workers.max=1 -Dorg.gradle.parallel=false }",
+					"pull_policy": "pull: true",
+				},
+			},
+			Ruleset: yaml.Ruleset{
+				If: yaml.Rules{
+					Branch: []string{"dev"},
+				},
+			},
 		},
 	}
 
@@ -557,7 +584,10 @@ func TestNative_ExpandStepsMulti(t *testing.T) {
 		t.Errorf("Creating new compiler returned err: %v", err)
 	}
 
-	build, err := compiler.ExpandSteps(&yaml.Build{Steps: steps, Services: yaml.ServiceSlice{}, Environment: raw.StringSliceMap{}}, tmpls)
+	ruledata := new(pipeline.RuleData)
+	ruledata.Branch = "main"
+
+	build, err := compiler.ExpandSteps(&yaml.Build{Steps: steps, Services: yaml.ServiceSlice{}, Environment: raw.StringSliceMap{}}, tmpls, ruledata)
 	if err != nil {
 		t.Errorf("ExpandSteps returned err: %v", err)
 	}
@@ -644,7 +674,7 @@ func TestNative_ExpandStepsStarlark(t *testing.T) {
 		t.Errorf("Creating new compiler returned err: %v", err)
 	}
 
-	build, err := compiler.ExpandSteps(&yaml.Build{Steps: steps, Secrets: yaml.SecretSlice{}, Services: yaml.ServiceSlice{}, Environment: raw.StringSliceMap{}}, tmpls)
+	build, err := compiler.ExpandSteps(&yaml.Build{Steps: steps, Secrets: yaml.SecretSlice{}, Services: yaml.ServiceSlice{}, Environment: raw.StringSliceMap{}}, tmpls, new(pipeline.RuleData))
 	if err != nil {
 		t.Errorf("ExpandSteps returned err: %v", err)
 	}
diff --git a/go.mod b/go.mod
index 01e869534..b7e3765ea 100644
--- a/go.mod
+++ b/go.mod
@@ -30,7 +30,7 @@ require (
 	github.com/sirupsen/logrus v1.9.0
 	github.com/spf13/afero v1.9.4
 	github.com/urfave/cli/v2 v2.24.4
-	go.starlark.net v0.0.0-20230228032650-dded03209ead
+	go.starlark.net v0.0.0-20230302034142-4b1e35fe2254
 	golang.org/x/oauth2 v0.5.0
 	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637
diff --git a/go.sum b/go.sum
index 9b8e2d8a7..cdb1e7d1e 100644
--- a/go.sum
+++ b/go.sum
@@ -446,8 +446,8 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.starlark.net v0.0.0-20230228032650-dded03209ead h1:qZOFk6/3JiKg5gjRTf4lShf/N0K3acJ95Bg70LsgnHI=
-go.starlark.net v0.0.0-20230228032650-dded03209ead/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds=
+go.starlark.net v0.0.0-20230302034142-4b1e35fe2254 h1:Ss6D3hLXTM0KobyBYEAygXzFfGcjnmfEJOBgSbemCtg=
+go.starlark.net v0.0.0-20230302034142-4b1e35fe2254/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds=
 golang.org/x/arch v0.0.0-20210923205945-b76863e36670 h1:18EFjUmQOcUvxNYSkA6jO9VAiXCnxFY6NyDX0bHDmkU=
 golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
diff --git a/internal/token/parse.go b/internal/token/parse.go
index dc9b002d3..4cae4e986 100644
--- a/internal/token/parse.go
+++ b/internal/token/parse.go
@@ -34,6 +34,10 @@ func (tm *Manager) ParseToken(token string) (*Claims, error) {
 		claims = t.Claims.(*Claims)
 		name := claims.Subject
 
+		// according to JWT, the iat field is optional for security purposes and is purely informational.
+		// setting it to nil avoids any worries of race conditions.
+		claims.IssuedAt = nil
+
 		// check if subject has a value in claims;
 		// we can save a db lookup attempt
 		if len(name) == 0 {
diff --git a/internal/token/parse_test.go b/internal/token/parse_test.go
index 9ee9ce453..6c9076515 100644
--- a/internal/token/parse_test.go
+++ b/internal/token/parse_test.go
@@ -51,7 +51,7 @@ func TestTokenManager_ParseToken(t *testing.T) {
 				TokenType: constants.UserAccessTokenType,
 				RegisteredClaims: jwt.RegisteredClaims{
 					Subject:   u.GetName(),
-					IssuedAt:  jwt.NewNumericDate(now),
+					IssuedAt:  nil,
 					ExpiresAt: jwt.NewNumericDate(now.Add(time.Minute * 5)),
 				},
 			},
@@ -69,7 +69,7 @@ func TestTokenManager_ParseToken(t *testing.T) {
 				TokenType: constants.UserRefreshTokenType,
 				RegisteredClaims: jwt.RegisteredClaims{
 					Subject:   u.GetName(),
-					IssuedAt:  jwt.NewNumericDate(now),
+					IssuedAt:  nil,
 					ExpiresAt: jwt.NewNumericDate(now.Add(time.Minute * 30)),
 				},
 			},
@@ -89,7 +89,7 @@ func TestTokenManager_ParseToken(t *testing.T) {
 				TokenType: constants.WorkerBuildTokenType,
 				RegisteredClaims: jwt.RegisteredClaims{
 					Subject:   "worker",
-					IssuedAt:  jwt.NewNumericDate(now),
+					IssuedAt:  nil,
 					ExpiresAt: jwt.NewNumericDate(now.Add(time.Minute * 90)),
 				},
 			},
diff --git a/router/middleware/claims/claims_test.go b/router/middleware/claims/claims_test.go
index 914c5882e..8447ff009 100644
--- a/router/middleware/claims/claims_test.go
+++ b/router/middleware/claims/claims_test.go
@@ -33,7 +33,7 @@ func TestClaims_Retrieve(t *testing.T) {
 		IsActive:  true,
 		RegisteredClaims: jwt.RegisteredClaims{
 			Subject:   "octocat",
-			IssuedAt:  jwt.NewNumericDate(now),
+			IssuedAt:  nil,
 			ExpiresAt: jwt.NewNumericDate(now.Add(time.Minute * 1)),
 		},
 	}
@@ -90,7 +90,7 @@ func TestClaims_Establish(t *testing.T) {
 				IsActive:  true,
 				RegisteredClaims: jwt.RegisteredClaims{
 					Subject:   "foo",
-					IssuedAt:  jwt.NewNumericDate(now),
+					IssuedAt:  nil,
 					ExpiresAt: jwt.NewNumericDate(now.Add(time.Minute * 5)),
 				},
 			},
@@ -110,7 +110,7 @@ func TestClaims_Establish(t *testing.T) {
 				Repo:      "foo/bar",
 				RegisteredClaims: jwt.RegisteredClaims{
 					Subject:   "host",
-					IssuedAt:  jwt.NewNumericDate(now),
+					IssuedAt:  nil,
 					ExpiresAt: jwt.NewNumericDate(now.Add(time.Minute * 35)),
 				},
 			},
@@ -130,7 +130,7 @@ func TestClaims_Establish(t *testing.T) {
 				TokenType: constants.WorkerAuthTokenType,
 				RegisteredClaims: jwt.RegisteredClaims{
 					Subject:   "host",
-					IssuedAt:  jwt.NewNumericDate(now),
+					IssuedAt:  nil,
 					ExpiresAt: jwt.NewNumericDate(now.Add(tm.WorkerAuthTokenDuration)),
 				},
 			},
@@ -148,7 +148,7 @@ func TestClaims_Establish(t *testing.T) {
 				TokenType: constants.WorkerRegisterTokenType,
 				RegisteredClaims: jwt.RegisteredClaims{
 					Subject:   "host",
-					IssuedAt:  jwt.NewNumericDate(now),
+					IssuedAt:  nil,
 					ExpiresAt: jwt.NewNumericDate(now.Add(tm.WorkerRegisterTokenDuration)),
 				},
 			},