From 5575e946780e0c1ffca88849bc0cfd8ad1c2d2d4 Mon Sep 17 00:00:00 2001
From: Graham Savage <graham@kosli.com>
Date: Wed, 20 May 2026 19:10:20 +0100
Subject: [PATCH] Fix invalid use of secrets context in step-level if
 expression

GitHub Actions does not expose the `secrets` context inside step-level
`if:` expressions, so referencing `secrets.github_token` there caused
the workflow to fail to parse with "Unrecognized named-value: 'secrets'".

Map the secret to a step-scoped `env.GH_TOKEN` and gate the step on the
env var instead. The `run` block now consumes the token via the env var
rather than interpolating the secret directly into the shell command.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/apply.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml
index 3cfbbc9..4dc478c 100644
--- a/.github/workflows/apply.yml
+++ b/.github/workflows/apply.yml
@@ -81,6 +81,7 @@ jobs:
       KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
       KOSLI_FLOW: terraform-apply-${{ inputs.environment }}-${{ github.event.repository.name }}
       KOSLI_TRAIL: ${{ github.event.pull_request.head.sha || github.sha }}
+      GH_TOKEN: ${{ secrets.github_token }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -135,8 +136,8 @@ jobs:
         run: kosli attest artifact /tmp/drift.plan.json --artifact-type file --name drift-plan
 
       - name: Kosli attest pull request
-        if: inputs.kosli_template_file != '' && secrets.github_token != ''
+        if: inputs.kosli_template_file != '' && env.GH_TOKEN != ''
         run: |
           kosli attest pr github \
             --name pull-request \
-            --github-token ${{ secrets.github_token }}
+            --github-token "$GH_TOKEN"