fix: use env-passthrough for graceful-skip gates

The `secrets` context isn't available in `if:` expressions at any level
(GitHub Actions context-availability rules), which is why the previous
attempt to use `secrets.X != ''` directly in `if:` failed workflow
validation. Standard workaround: declare the secret as a job-level (or
step-level) `env:` value, then check `env.X != ''` in the `if:`.

ggshield.yaml: secret moved to job-level env, gate is now `env.X != ''`
on each step. Step-level env on the action invocation is no longer
needed (job-level env is inherited).

CI.yaml codecov: secret declared as step-level env, gate is appended to
the existing condition. token: also reads from env for consistency.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tablackburn

.github/workflows/CI.yaml

@@ -118,10 +118,12 @@ jobs:
           ./build.ps1 -Task Build,Test -Bootstrap
 
       - name: Upload Coverage to Codecov
-        if: success() && steps.template_guard.outputs.is_template == 'false' && secrets.CODECOV_TOKEN != ''
+        if: success() && steps.template_guard.outputs.is_template == 'false' && env.CODECOV_TOKEN != ''
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         uses: codecov/codecov-action@v6
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ env.CODECOV_TOKEN }}
           files: out/codeCoverage.xml
           flags: ${{ matrix.os }}
           fail_ci_if_error: false

.github/workflows/ggshield.yaml

@@ -8,16 +8,16 @@ jobs:
   scanning:
     name: GitGuardian Scan
     runs-on: ubuntu-latest
-    # Skip when:
-    #   - Dependabot PR (no secret access, only updates dependencies)
-    #   - GITGUARDIAN_API_KEY not configured (graceful skip for newly-init'd repos
-    #     before the secret is set; Dependabot also lands here because it has no
-    #     secret access, but the explicit actor check above is kept for clarity)
-    if: github.actor != 'dependabot[bot]' && secrets.GITGUARDIAN_API_KEY != ''
+    # Skip Dependabot PRs (no secret access, only updates dependencies). The
+    # secret-presence check is enforced per-step via `env.GITGUARDIAN_API_KEY`
+    # below, because the `secrets` context isn't available in `if:` expressions.
+    if: github.actor != 'dependabot[bot]'
+    env:
+      GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
     steps:
       - uses: actions/checkout@v6
+        if: env.GITGUARDIAN_API_KEY != ''
         with:
           fetch-depth: 0
       - uses: GitGuardian/ggshield-action@v1
-        env:
-          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
+        if: env.GITGUARDIAN_API_KEY != ''