From 7f078ac40fc5988d19be91c2bc3e10793a40fe3f Mon Sep 17 00:00:00 2001
From: Trent Blackburn <trent.blackburn@gmail.com>
Date: Sun, 10 May 2026 00:47:34 -0400
Subject: [PATCH 1/2] ci: graceful-skip ggshield + codecov when their secrets
 aren't set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Newly-init'd modules from this template fail their first push because the
optional GITGUARDIAN_API_KEY (ggshield) and CODECOV_TOKEN (codecov upload)
secrets aren't configured yet. This adds `secrets.<NAME> != ''` gates so
those steps no-op cleanly until the user wires the secrets up, instead of
failing the workflow run.

The ggshield gate also subsumes the existing Dependabot check (Dependabot
PRs don't have secret access, so the secret-presence check skips them
naturally) — but the explicit actor check is kept for self-documentation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/CI.yaml       | 2 +-
 .github/workflows/ggshield.yaml | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/CI.yaml b/.github/workflows/CI.yaml
index a1b8c43..f7b8105 100644
--- a/.github/workflows/CI.yaml
+++ b/.github/workflows/CI.yaml
@@ -118,7 +118,7 @@ jobs:
           ./build.ps1 -Task Build,Test -Bootstrap
 
       - name: Upload Coverage to Codecov
-        if: success() && steps.template_guard.outputs.is_template == 'false'
+        if: success() && steps.template_guard.outputs.is_template == 'false' && secrets.CODECOV_TOKEN != ''
         uses: codecov/codecov-action@v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/ggshield.yaml b/.github/workflows/ggshield.yaml
index a9f6303..5fd1f6a 100644
--- a/.github/workflows/ggshield.yaml
+++ b/.github/workflows/ggshield.yaml
@@ -8,8 +8,12 @@ jobs:
   scanning:
     name: GitGuardian Scan
     runs-on: ubuntu-latest
-    # Skip for Dependabot PRs - they don't have access to secrets and only update dependencies
-    if: github.actor != 'dependabot[bot]'
+    # Skip when:
+    #   - Dependabot PR (no secret access, only updates dependencies)
+    #   - GITGUARDIAN_API_KEY not configured (graceful skip for newly-init'd repos
+    #     before the secret is set; Dependabot also lands here because it has no
+    #     secret access, but the explicit actor check above is kept for clarity)
+    if: github.actor != 'dependabot[bot]' && secrets.GITGUARDIAN_API_KEY != ''
     steps:
       - uses: actions/checkout@v6
         with:

From eeb8655ba74d913abbe0fcb01f8a4c018a3cb5c9 Mon Sep 17 00:00:00 2001
From: Trent Blackburn <trent.blackburn@gmail.com>
Date: Sun, 10 May 2026 01:06:21 -0400
Subject: [PATCH 2/2] fix: use env-passthrough for graceful-skip gates

The `secrets` context isn't available in `if:` expressions at any level
(GitHub Actions context-availability rules), which is why the previous
attempt to use `secrets.X != ''` directly in `if:` failed workflow
validation. Standard workaround: declare the secret as a job-level (or
step-level) `env:` value, then check `env.X != ''` in the `if:`.

ggshield.yaml: secret moved to job-level env, gate is now `env.X != ''`
on each step. Step-level env on the action invocation is no longer
needed (job-level env is inherited).

CI.yaml codecov: secret declared as step-level env, gate is appended to
the existing condition. token: also reads from env for consistency.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/CI.yaml       |  6 ++++--
 .github/workflows/ggshield.yaml | 16 ++++++++--------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/CI.yaml b/.github/workflows/CI.yaml
index f7b8105..2fdfe88 100644
--- a/.github/workflows/CI.yaml
+++ b/.github/workflows/CI.yaml
@@ -118,10 +118,12 @@ jobs:
           ./build.ps1 -Task Build,Test -Bootstrap
 
       - name: Upload Coverage to Codecov
-        if: success() && steps.template_guard.outputs.is_template == 'false' && secrets.CODECOV_TOKEN != ''
+        if: success() && steps.template_guard.outputs.is_template == 'false' && env.CODECOV_TOKEN != ''
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         uses: codecov/codecov-action@v6
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ env.CODECOV_TOKEN }}
           files: out/codeCoverage.xml
           flags: ${{ matrix.os }}
           fail_ci_if_error: false
diff --git a/.github/workflows/ggshield.yaml b/.github/workflows/ggshield.yaml
index 5fd1f6a..412d202 100644
--- a/.github/workflows/ggshield.yaml
+++ b/.github/workflows/ggshield.yaml
@@ -8,16 +8,16 @@ jobs:
   scanning:
     name: GitGuardian Scan
     runs-on: ubuntu-latest
-    # Skip when:
-    #   - Dependabot PR (no secret access, only updates dependencies)
-    #   - GITGUARDIAN_API_KEY not configured (graceful skip for newly-init'd repos
-    #     before the secret is set; Dependabot also lands here because it has no
-    #     secret access, but the explicit actor check above is kept for clarity)
-    if: github.actor != 'dependabot[bot]' && secrets.GITGUARDIAN_API_KEY != ''
+    # Skip Dependabot PRs (no secret access, only updates dependencies). The
+    # secret-presence check is enforced per-step via `env.GITGUARDIAN_API_KEY`
+    # below, because the `secrets` context isn't available in `if:` expressions.
+    if: github.actor != 'dependabot[bot]'
+    env:
+      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
     steps:
       - uses: actions/checkout@v6
+        if: env.GITGUARDIAN_API_KEY != ''
         with:
           fetch-depth: 0
       - uses: GitGuardian/ggshield-action@v1
-        env:
-          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+        if: env.GITGUARDIAN_API_KEY != ''