ci: graceful-skip ggshield + codecov when their secrets aren't set

[tablackburn]

Summary

Adds secrets.<NAME> != '' gates to two optional-secret workflow steps so newly-init'd modules from this template don't fail their first push:

• ggshield.yaml — extends the existing job-level if: with secrets.GITGUARDIAN_API_KEY != ''. The Dependabot actor check is kept for self-documentation, but is redundant under the new gate (Dependabot PRs have no access to repo secrets, so the secret-presence check naturally skips them).
• CI.yaml codecov upload step — appends secrets.CODECOV_TOKEN != '' to the existing condition. The fail_ci_if_error: false on the codecov action stays — it still protects against transient upload failures when the token is set.

Why

This is item #3 of the post-PR-#18 follow-up scope (the original PR #18 description called this out as "Future improvements (out of scope)"). Currently:

• A fresh module without GITGUARDIAN_API_KEY configured fails ggshield on every push with "Invalid GitGuardian API key".
• A fresh module without CODECOV_TOKEN runs the codecov action, which then warns and produces no useful upload (it doesn't fail CI thanks to fail_ci_if_error: false, but it's noise).

After this change, both steps short-circuit cleanly until the user wires the secrets up.

Validation strategy

This template repo has GITGUARDIAN_API_KEY configured but not CODECOV_TOKEN, so on this PR's CI the GitGuardian gate evaluates to true and runs the scan (happy-path branch) while the codecov gate evaluates to false and skips the upload step (missing-secret branch) — both branches of the gate semantics are exercised end-to-end on this very PR.

Test plan

• PSScriptAnalyzer Lint passes

Verified 2026-05-10: PR head eeb8655 check-runs show PSScriptAnalyzer Lint = success.

• Unit Tests (ubuntu/windows/macOS-latest) all pass

Verified 2026-05-10: PR head eeb8655 check-runs show Unit Tests (ubuntu/windows/macOS-latest) all = success.

• GitGuardian Scan runs (gate evaluates to true here, secret is set)

Verified 2026-05-10: GITGUARDIAN_API_KEY is configured on this repo (gh secret list), gate evaluated to true; GitGuardian Scan workflow run on the PR head succeeded — happy-path branch of the gate exercised.

• Codecov upload step skips correctly (gate evaluates to false here, CODECOV_TOKEN is not set)

Verified 2026-05-10: gh secret list -R tablackburn/PowerShellModuleTemplate returns only GITGUARDIAN_API_KEY — CODECOV_TOKEN is not configured. On the PR head, the gate evaluated to false and the Upload Coverage to Codecov step was correctly skipped in all 3 Unit Tests jobs (CI run 25620420661) — exercising the missing-secret branch of the gate.

Follow-up

After this lands, propagate to the 8 consumer repos that have these workflow files. Tracked in project_psmoduletemplate_post_18_followups.md.

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@tablackburn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 18 minutes and 37 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e62996f3-9ad4-414d-b63f-3093b27bdc44

📥 Commits

Reviewing files that changed from the base of the PR and between 117bcd4 and eeb8655.

📒 Files selected for processing (2)

• .github/workflows/CI.yaml
• .github/workflows/ggshield.yaml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/graceful-skip-missing-secrets

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Updates GitHub Actions workflows to gracefully skip optional secret–dependent steps when their corresponding repository secrets are not configured, reducing failures/noise for newly initialized repos created from this template.

Changes:

• Gate the ggshield job on secrets.GITGUARDIAN_API_KEY != '' (in addition to the existing Dependabot actor check).
• Gate the Codecov upload step in CI.yaml on secrets.CODECOV_TOKEN != ''.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/ggshield.yaml	Adds a secret-presence gate so the GitGuardian scan job is skipped when the API key isn’t configured.
.github/workflows/CI.yaml	Adds a secret-presence gate so the Codecov upload step is skipped when no token is configured.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.