From 86b631606dd176fdb8f1437a811c7a185d41c1e9 Mon Sep 17 00:00:00 2001 From: Trent Blackburn Date: Sun, 10 May 2026 01:22:56 -0400 Subject: [PATCH 1/2] ci: graceful-skip ggshield when GITGUARDIAN_API_KEY isn't set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mirrors PowerShellModuleTemplate#28: env-passthrough pattern so a repo without the secret configured no-ops cleanly instead of failing the ggshield workflow run. This repo currently has the secret configured, so this is a defensive alignment with the template — no behavior change today, but matches the convention going forward. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ggshield.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ggshield.yaml b/.github/workflows/ggshield.yaml index a9f6303..412d202 100644 --- a/.github/workflows/ggshield.yaml +++ b/.github/workflows/ggshield.yaml @@ -8,12 +8,16 @@ jobs: scanning: name: GitGuardian Scan runs-on: ubuntu-latest - # Skip for Dependabot PRs - they don't have access to secrets and only update dependencies + # Skip Dependabot PRs (no secret access, only updates dependencies). The + # secret-presence check is enforced per-step via `env.GITGUARDIAN_API_KEY` + # below, because the `secrets` context isn't available in `if:` expressions. if: github.actor != 'dependabot[bot]' + env: + GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} steps: - uses: actions/checkout@v6 + if: env.GITGUARDIAN_API_KEY != '' with: fetch-depth: 0 - uses: GitGuardian/ggshield-action@v1 - env: - GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} + if: env.GITGUARDIAN_API_KEY != '' From 8af9b366e4231f003fc307d106166f44e5cf1165 Mon Sep 17 00:00:00 2001 From: Trent Blackburn Date: Sun, 10 May 2026 01:39:18 -0400 Subject: [PATCH 2/2] ci: scope GITGUARDIAN_API_KEY to ggshield-action step only Per Copilot review feedback: the previous job-level env exposed the full secret value to every step in the job (including actions/checkout and any future additions), even though only the ggshield-action step needs it. Switches to a boolean-gate pattern: job-level env exposes only GGSHIELD_ENABLED (a "true"/"false" string indicating whether the secret is set), and the actual GITGUARDIAN_API_KEY value is scoped via step-level env on the ggshield-action invocation. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ggshield.yaml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ggshield.yaml b/.github/workflows/ggshield.yaml index 412d202..d9f55b2 100644 --- a/.github/workflows/ggshield.yaml +++ b/.github/workflows/ggshield.yaml @@ -9,15 +9,19 @@ jobs: name: GitGuardian Scan runs-on: ubuntu-latest # Skip Dependabot PRs (no secret access, only updates dependencies). The - # secret-presence check is enforced per-step via `env.GITGUARDIAN_API_KEY` - # below, because the `secrets` context isn't available in `if:` expressions. + # secret-presence check is enforced per-step via the `GGSHIELD_ENABLED` + # boolean (the `secrets` context isn't available in `if:` expressions, so + # we surface it as a job-level env value). Only the action step receives + # the actual secret, scoped via its own step-level `env`. if: github.actor != 'dependabot[bot]' env: - GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} + GGSHIELD_ENABLED: ${{ secrets.GITGUARDIAN_API_KEY != '' }} steps: - uses: actions/checkout@v6 - if: env.GITGUARDIAN_API_KEY != '' + if: env.GGSHIELD_ENABLED == 'true' with: fetch-depth: 0 - uses: GitGuardian/ggshield-action@v1 - if: env.GITGUARDIAN_API_KEY != '' + if: env.GGSHIELD_ENABLED == 'true' + env: + GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}