ci: graceful-skip ggshield when GITGUARDIAN_API_KEY isn't set

Mirrors PowerShellModuleTemplate#28: env-passthrough pattern so a repo
without the secret configured no-ops cleanly instead of failing the
ggshield workflow run. This repo currently has the secret configured,
so this is a defensive alignment with the template — no behavior change
today, but matches the convention going forward.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tablackburn

.github/workflows/ggshield.yaml

@@ -8,12 +8,16 @@ jobs:
   scanning:
     name: GitGuardian Scan
     runs-on: ubuntu-latest
-    # Skip for Dependabot PRs - they don't have access to secrets and only update dependencies
+    # Skip Dependabot PRs (no secret access, only updates dependencies). The
+    # secret-presence check is enforced per-step via `env.GITGUARDIAN_API_KEY`
+    # below, because the `secrets` context isn't available in `if:` expressions.
     if: github.actor != 'dependabot[bot]'
+    env:
+      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
     steps:
       - uses: actions/checkout@v6
+        if: env.GITGUARDIAN_API_KEY != ''
         with:
           fetch-depth: 0
       - uses: GitGuardian/ggshield-action@v1
-        env:
-          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+        if: env.GITGUARDIAN_API_KEY != ''