ci: graceful-skip ggshield + codecov when their secrets aren't set

Newly-init'd modules from this template fail their first push because the
optional GITGUARDIAN_API_KEY (ggshield) and CODECOV_TOKEN (codecov upload)
secrets aren't configured yet. This adds `secrets.<NAME> != ''` gates so
those steps no-op cleanly until the user wires the secrets up, instead of
failing the workflow run.

The ggshield gate also subsumes the existing Dependabot check (Dependabot
PRs don't have secret access, so the secret-presence check skips them
naturally) — but the explicit actor check is kept for self-documentation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tablackburn

.github/workflows/CI.yaml

@@ -118,7 +118,7 @@ jobs:
           ./build.ps1 -Task Build,Test -Bootstrap
 
       - name: Upload Coverage to Codecov
-        if: success() && steps.template_guard.outputs.is_template == 'false'
+        if: success() && steps.template_guard.outputs.is_template == 'false' && secrets.CODECOV_TOKEN != ''
         uses: codecov/codecov-action@v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/ggshield.yaml

@@ -8,8 +8,12 @@ jobs:
   scanning:
     name: GitGuardian Scan
     runs-on: ubuntu-latest
-    # Skip for Dependabot PRs - they don't have access to secrets and only update dependencies
-    if: github.actor != 'dependabot[bot]'
+    # Skip when:
+    #   - Dependabot PR (no secret access, only updates dependencies)
+    #   - GITGUARDIAN_API_KEY not configured (graceful skip for newly-init'd repos
+    #     before the secret is set; Dependabot also lands here because it has no
+    #     secret access, but the explicit actor check above is kept for clarity)
+    if: github.actor != 'dependabot[bot]' && secrets.GITGUARDIAN_API_KEY != ''
     steps:
       - uses: actions/checkout@v6
         with: