ci: scope GITGUARDIAN_API_KEY to ggshield-action step only

Per Copilot review feedback on YouTubeMusicPS#21: the previous job-level
env exposed the full secret value to every step in the job (including
actions/checkout and any future additions), even though only the
ggshield-action step needs it.

Switches to a boolean-gate pattern: job-level env exposes only
GGSHIELD_ENABLED (a "true"/"false" string indicating whether the secret
is set), and the actual GITGUARDIAN_API_KEY value is scoped via
step-level env on the ggshield-action invocation. Behavior unchanged
when the secret is set; better defense-in-depth against future steps
inheriting the secret unintentionally.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tablackburn

.github/workflows/ggshield.yaml

@@ -9,15 +9,19 @@ jobs:
     name: GitGuardian Scan
     runs-on: ubuntu-latest
     # Skip Dependabot PRs (no secret access, only updates dependencies). The
-    # secret-presence check is enforced per-step via `env.GITGUARDIAN_API_KEY`
-    # below, because the `secrets` context isn't available in `if:` expressions.
+    # secret-presence check is enforced per-step via the `GGSHIELD_ENABLED`
+    # boolean (the `secrets` context isn't available in `if:` expressions, so
+    # we surface it as a job-level env value). Only the action step receives
+    # the actual secret, scoped via its own step-level `env`.
     if: github.actor != 'dependabot[bot]'
     env:
-      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+      GGSHIELD_ENABLED: ${{ secrets.GITGUARDIAN_API_KEY != '' }}
     steps:
       - uses: actions/checkout@v6
-        if: env.GITGUARDIAN_API_KEY != ''
+        if: env.GGSHIELD_ENABLED == 'true'
         with:
           fetch-depth: 0
       - uses: GitGuardian/ggshield-action@v1
-        if: env.GITGUARDIAN_API_KEY != ''
+        if: env.GGSHIELD_ENABLED == 'true'
+        env:
+          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}