ci: graceful-skip ggshield when GITGUARDIAN_API_KEY isn't set

[tablackburn]

Summary

Propagates PowerShellModuleTemplate#28 to this repo. Updates .github/workflows/ggshield.yaml to use the env-passthrough pattern so the GitGuardian Scan job no-ops cleanly when GITGUARDIAN_API_KEY isn't configured, instead of failing the workflow run.

Why

Defensive alignment with the template's new convention. This repo currently has GITGUARDIAN_API_KEY set, so there's no behavior change today — the gate evaluates true and the scan runs as before. The value is for any future state where the secret is rotated, removed, or unset.

Notes

• The secrets context isn't available in if: expressions, so the gate uses job-level env + step-level if: env.X != ''.
• The explicit Dependabot actor check is kept for self-documentation, even though Dependabot PRs would now be skipped naturally by the env check (no secret access).

Test plan

• CI passes (existing required checks)
• GitGuardian Scan runs (gate evaluates true here)

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@tablackburn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 1 minute and 43 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0e8700b5-5d87-4196-91fc-32abf9959545

📥 Commits

Reviewing files that changed from the base of the PR and between 1489525 and f869c0e.

📒 Files selected for processing (1)

• .github/workflows/ggshield.yaml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/graceful-skip-missing-secrets

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates the GitGuardian (ggshield) GitHub Actions workflow to no-op cleanly when GITGUARDIAN_API_KEY is not configured, avoiding workflow failures caused by missing secrets (while preserving the existing Dependabot skip behavior).

Changes:

• Pass GITGUARDIAN_API_KEY via job-level env and gate execution with step-level if: env.GITGUARDIAN_API_KEY != ''.
• Keep the job-level Dependabot actor skip, while documenting why the secret-presence gate is step-level.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.