From f869c0e5db336a8a5a02afe9ce217a5466c819bb Mon Sep 17 00:00:00 2001
From: Trent Blackburn <trent.blackburn@gmail.com>
Date: Sun, 10 May 2026 01:22:58 -0400
Subject: [PATCH] ci: graceful-skip ggshield when GITGUARDIAN_API_KEY isn't set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mirrors PowerShellModuleTemplate#28: env-passthrough pattern so a repo
without the secret configured no-ops cleanly instead of failing the
ggshield workflow run. This repo currently has the secret configured,
so this is a defensive alignment with the template — no behavior change
today, but matches the convention going forward.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ggshield.yaml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ggshield.yaml b/.github/workflows/ggshield.yaml
index a9f6303..412d202 100644
--- a/.github/workflows/ggshield.yaml
+++ b/.github/workflows/ggshield.yaml
@@ -8,12 +8,16 @@ jobs:
   scanning:
     name: GitGuardian Scan
     runs-on: ubuntu-latest
-    # Skip for Dependabot PRs - they don't have access to secrets and only update dependencies
+    # Skip Dependabot PRs (no secret access, only updates dependencies). The
+    # secret-presence check is enforced per-step via `env.GITGUARDIAN_API_KEY`
+    # below, because the `secrets` context isn't available in `if:` expressions.
     if: github.actor != 'dependabot[bot]'
+    env:
+      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
     steps:
       - uses: actions/checkout@v6
+        if: env.GITGUARDIAN_API_KEY != ''
         with:
           fetch-depth: 0
       - uses: GitGuardian/ggshield-action@v1
-        env:
-          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+        if: env.GITGUARDIAN_API_KEY != ''