From 8552416ece6e258ac6afa2c9c54e3e95c6eef7eb Mon Sep 17 00:00:00 2001
From: Johnathan Falk <johnathan.falk@gmail.com>
Date: Wed, 29 Apr 2026 00:31:42 -0400
Subject: [PATCH] fix(release): replace secrets-in-if with env-bridge guard
 step
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

\`if: \${{ secrets.CI_APP_ID != '' }}\` is invalid in a reusable
(workflow_call) workflow — GHA rejects with "Unrecognized named-value:
'secrets'" at workflow load time, and every caller fails to validate
with a 0-second runtime and the path-as-name fallback.

Materialize the secret through env in a guard step, then gate the
Mint step on that step's output. Same observable behavior as before
(skip mint when CI_APP_ID empty), but the if-expression now uses
steps.check-app.outputs.* which is allowed in callable workflows.

Caught when wiring up overnight-burndown's prerelease workflow.
Until this lands, every caller of reusable-release.yml fails to
validate.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/reusable-release.yml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml
index ed0f0e87..4295a40f 100644
--- a/.github/workflows/reusable-release.yml
+++ b/.github/workflows/reusable-release.yml
@@ -311,9 +311,23 @@ jobs:
       # commits touch .github/workflows/ — the default GITHUB_TOKEN
       # can't. Skipped entirely when CI_APP_ID isn't configured so the
       # job doesn't emit a noisy error; falls back to GITHUB_TOKEN.
+      # `if:` cannot reference secrets.* directly in a workflow_call workflow
+      # ("Unrecognized named-value: 'secrets'"). Materialize CI_APP_ID through
+      # env in a guard step, then gate the mint step on that step's output.
+      - name: Check for App credentials
+        id: check-app
+        env:
+          CI_APP_ID: ${{ secrets.CI_APP_ID }}
+        run: |
+          if [ -n "$CI_APP_ID" ]; then
+            echo "have-app=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "have-app=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Mint App token for tag push
         id: app-token
-        if: ${{ secrets.CI_APP_ID != '' }}
+        if: steps.check-app.outputs.have-app == 'true'
         uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ secrets.CI_APP_ID }}