Skip to content

ci: scope GITGUARDIAN_API_KEY to ggshield-action step only#6

Merged
tablackburn merged 1 commit into
mainfrom
ci/scope-ggshield-secret
May 10, 2026
Merged

ci: scope GITGUARDIAN_API_KEY to ggshield-action step only#6
tablackburn merged 1 commit into
mainfrom
ci/scope-ggshield-secret

Conversation

@tablackburn

Copy link
Copy Markdown
Owner

Summary

Refines the graceful-skip pattern landed earlier so the GITGUARDIAN_API_KEY secret value is no longer exposed to every step of the ggshield job.

Before: job-level env: { GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} } made the secret visible to actions/checkout and any future steps in the job.

After: job-level env only exposes a boolean (GGSHIELD_ENABLED: ${{ secrets.GITGUARDIAN_API_KEY != '' }}); the actual secret value is scoped to the ggshield-action step via step-level env.

Why

Copilot review feedback on tablackburn/YouTubeMusicPS#21 flagged the wider exposure. Adopted there in commit 8af9b36; this PR propagates the same refinement to keep the convention aligned across all template-derived repos.

Behavior

No functional change when the secret is set (gate evaluates to 'true' and the action runs as before). Pure defense-in-depth: future additions to the job can't accidentally inherit the secret.

Test plan

  • CI passes (existing required checks)
  • GitGuardian Scan runs (gate evaluates true here)

🤖 Generated with Claude Code

Per Copilot review feedback on YouTubeMusicPS#21: the previous job-level
env exposed the full secret value to every step in the job (including
actions/checkout and any future additions), even though only the
ggshield-action step needs it.

Switches to a boolean-gate pattern: job-level env exposes only
GGSHIELD_ENABLED (a "true"/"false" string indicating whether the secret
is set), and the actual GITGUARDIAN_API_KEY value is scoped via
step-level env on the ggshield-action invocation. Behavior unchanged
when the secret is set; better defense-in-depth against future steps
inheriting the secret unintentionally.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 10, 2026 05:44
@tablackburn tablackburn enabled auto-merge (squash) May 10, 2026 05:44
@tablackburn tablackburn merged commit 55d14c1 into main May 10, 2026
12 checks passed
@tablackburn tablackburn deleted the ci/scope-ggshield-secret branch May 10, 2026 05:45

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Scopes the GITGUARDIAN_API_KEY secret so it’s only available to the GitGuardian/ggshield-action step, reducing accidental secret exposure across the rest of the job while preserving the existing “graceful skip” behavior when the secret is not set.

Changes:

  • Replaces job-level GITGUARDIAN_API_KEY with a job-level boolean gate (GGSHIELD_ENABLED) derived from secret presence.
  • Updates step if: conditions to check GGSHIELD_ENABLED == 'true'.
  • Adds step-level env to pass GITGUARDIAN_API_KEY only to the ggshield action step.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants