ci: graceful-skip ggshield when GITGUARDIAN_API_KEY isn't set

[tablackburn]

Summary

Propagates PowerShellModuleTemplate#28 to this repo. Updates .github/workflows/ggshield.yaml to use the env-passthrough pattern so the GitGuardian Scan job no-ops cleanly when GITGUARDIAN_API_KEY isn't configured, instead of failing the workflow run.

Why

Defensive alignment with the template's new convention. This repo currently has GITGUARDIAN_API_KEY set, so there's no behavior change today — the gate evaluates true and the scan runs as before. The value is for any future state where the secret is rotated, removed, or unset.

Notes

• The secrets context isn't available in if: expressions, so the gate uses job-level env + step-level if: env.X != ''.
• The explicit Dependabot actor check is kept for self-documentation, even though Dependabot PRs would now be skipped naturally by the env check (no secret access).

Test plan

• CI passes (existing required checks)
• GitGuardian Scan runs (gate evaluates true here)

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@tablackburn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minute and 44 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7cc984af-091a-4a19-8d0a-c89346b984bc

📥 Commits

Reviewing files that changed from the base of the PR and between f3f8114 and ebf76d9.

📒 Files selected for processing (1)

• .github/workflows/ggshield.yaml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/graceful-skip-missing-secrets

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Updates the GitGuardian scanning workflow to avoid failing CI when GITGUARDIAN_API_KEY is not configured, by gating scan steps on a job-level env passthrough instead of relying on secret access in if:.

Changes:

• Adds job-level env.GITGUARDIAN_API_KEY passthrough from secrets.GITGUARDIAN_API_KEY.
• Adds step-level if: env.GITGUARDIAN_API_KEY != '' guards so checkout + ggshield run only when the secret is present.
• Keeps the explicit Dependabot skip at the job level.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.