docs: Document required GitHub repository secrets

[tablackburn]

Summary

• Add a "Repository secrets" section to README.md documenting the three GitHub Actions secrets the bundled workflows expect: PS_GALLERY_KEY, CODECOV_TOKEN, GITGUARDIAN_API_KEY
• Add step 5 to the README Quick start pointing at the new section
• Add step 5 ("Configure GitHub repository secrets") to Initialize-Template.ps1's post-init "Next steps" output, between the build-test step and the first push
• CHANGELOG entry under [Unreleased]

Why

When initializing a module from this template, the bundled CI/CD workflows fail in opaque ways if secrets aren't set:

• PublishModuleToPowerShellGallery.yaml fails at PowerShellBuild's authentication assertion if PS_GALLERY_KEY isn't set
• ggshield.yaml fails on every push with "Invalid GitGuardian API key" if GITGUARDIAN_API_KEY isn't set
• CI.yaml silently skips the codecov upload step if CODECOV_TOKEN isn't set (gated with fail_ci_if_error: false)

None of this is documented anywhere in the template — not in the README, AGENTS.md, or any of the 12 files in instructions/. New users hit these failures and have to trace through the workflow YAML to figure out what's needed and where to get it.

This PR adds documentation in the two highest-leverage places:

1. README's Quick start (read before init) and a dedicated section (read for detail)
2. Init script's "Next steps" output (read right after init, before first push)

The note about PS_GALLERY_KEY mapping to env var PSGALLERY_API_KEY heads off another easy misconfiguration — someone reading the publish workflow YAML might be tempted to name the secret PSGALLERY_API_KEY directly.

Test plan

• No code changes — README, init script's Write-Host block, CHANGELOG only
• CI / Pester tests are unaffected
• Render the README on GitHub after merge, confirm the new table and anchor link resolve correctly

Future improvements (out of scope)

• ggshield.yaml could if:-gate itself on secrets.GITGUARDIAN_API_KEY != '' to no-op gracefully when the secret is absent (mirroring the existing if: github.actor != 'dependabot[bot]' gate). Worth a separate PR.
• The PS_GALLERY_KEY / PSGALLERY_API_KEY naming difference could be unified by renaming the secret to PSGALLERY_API_KEY directly — but that would be a breaking change for existing template-derived repos, so kept as-is and documented instead.

Summary by CodeRabbit

• Documentation
  • Added comprehensive guide for configuring required and optional GitHub Actions secrets within repository settings
  • Updated setup instructions to prompt configuring repository secrets between the build‑test step and the first push
  • Documented which secrets workflows consume (PS_GALLERY_KEY, CODECOV_TOKEN, GITGUARDIAN_API_KEY), behavior when missing, that GITHUB_TOKEN is auto‑provided, and that the publish workflow exposes PS_GALLERY_KEY as PSGALLERY_API_KEY for builds

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b731415d-6edb-4695-aa1b-478ccdab92cd

📥 Commits

Reviewing files that changed from the base of the PR and between c73e517 and a25eb4c.

📒 Files selected for processing (1)

• Initialize-Template.ps1

✅ Files skipped from review due to trivial changes (1)

• Initialize-Template.ps1

---

📝 Walkthrough

Walkthrough

Adds README documentation for repository GitHub Actions secrets (which workflows consume them and failure behavior) and updates CHANGELOG. Updates Initialize-Template.ps1 post-init “Next steps” message to instruct configuring repository secrets (with README link) before the first push.

Changes

Repository secrets documentation + init message

Layer / File(s)	Summary
Documentation README.md, CHANGELOG.md	Adds a "Repository secrets" section listing PS_GALLERY_KEY, CODECOV_TOKEN, and GITGUARDIAN_API_KEY (required/optional), which workflows consume them, and expected failure/behavior when missing. Updates CHANGELOG with these entries.
Init script message Initialize-Template.ps1	Modifies the post-initialization "Next steps" output: inserts a step instructing maintainers to configure GitHub repository secrets (links to README) before the first push; adjusts subsequent step numbering to push as step 6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰
Secrets noted in a tidy read,
Set them now before you seed.
A gentle prompt before the push,
Quiet builds without a rush. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs: Document required GitHub repository secrets' is directly aligned with the PR's main purpose: adding documentation about required GitHub Actions secrets to README.md, Initialize-Template.ps1, and CHANGELOG.md.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/document-repository-secrets

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Documents the GitHub Actions repository secrets required (or optional) for the template’s bundled CI/CD workflows, aiming to make first-run failures more discoverable for new template-derived repos.

Changes:

• Add a new “Repository secrets” section to the template-facing README.md and link to it from the Quick start.
• Update Initialize-Template.ps1 “Next steps” output to remind users to configure repository secrets.
• Add an [Unreleased] changelog entry describing the documentation update.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
README.md	Adds a “Repository secrets” section and references it from Quick start.
Initialize-Template.ps1	Inserts a post-init next-step reminder to configure GitHub repository secrets.
CHANGELOG.md	Notes the new documentation and init-script messaging under [Unreleased].

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.