fix: skip release finalize when app secrets unavailable

[aaditagrawal]

Summary

The finalize job in the release workflow fails on forks because RELEASE_APP_ID and RELEASE_APP_PRIVATE_KEY secrets don't exist. Adds a conditional to skip the job when the secret is empty.

Test plan

• Release workflow no longer fails on fork

Summary by CodeRabbit

• Chores
  • Improved release workflow robustness by adding configuration validation to prevent unnecessary process execution.

[coderabbitai]

📝 Walkthrough

Walkthrough

The change adds a conditional gate to the finalize job in the release workflow that prevents execution when the RELEASE_APP_ID secret is not configured, avoiding failures during GitHub App token creation.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Configuration .github/workflows/release.yml	Added conditional gate to finalize job to skip execution when RELEASE_APP_ID secret is empty.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Remove CLI npm publish from release workflow #13: Both PRs modify the finalize job in the same workflow, with this PR adding a secret presence check and the other adjusting job dependencies.

Suggested labels

size:M

Poem

🐰 A gate guards the token realm so fine,
When secrets sleep, no app shall sign,
The finalize job now checks with care,
Before creating magic in the air! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a conditional to skip the release finalize job when app secrets are unavailable.
Description check	✅ Passed	The description deviates from the template structure but provides clear context about the problem and solution. It explains what changed and why, though it lacks the formal template sections.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/release-workflow-secrets

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Line 280: The job-level if using secrets is invalid; create a preflight job
(e.g., check-release-secrets) that runs in a step which inspects both secrets
RELEASE_APP_ID and RELEASE_APP_PRIVATE_KEY and sets a job output like
release_creds_set='true' or 'false', then gate the finalize job using the
preflight output (e.g., if:
needs.check-release-secrets.outputs.release_creds_set == 'true') instead of
referencing secrets directly; update the job name referenced in the workflow
from finalize to use needs.check-release-secrets for the conditional.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f4b56e7d-92db-4ca9-966a-74c9f37e121a

📥 Commits

Reviewing files that changed from the base of the PR and between 9c00c06 and c4332a1.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify expression-context validity for this workflow.
# Expected (current): context error for `secrets` in jobs.<job_id>.if.
# Expected (after fix): no context-availability error on that line.
actionlint .github/workflows/release.yml

Repository: aaditagrawal/t3code

Length of output: 416

---

Line 280: secrets cannot be used in jobs.finalize.if, so this gate is invalid.

The secrets context is not available in job-level if conditions (only github, inputs, needs, and vars are allowed). This will fail workflow validation. Additionally, this condition only checks RELEASE_APP_ID but not RELEASE_APP_PRIVATE_KEY, so the finalize job can still fail if only the ID is present.

Suggested fix (gate via a preflight output that checks both secrets)

# preflight job
 outputs:
   version: ${{ steps.release_meta.outputs.version }}
   tag: ${{ steps.release_meta.outputs.tag }}
   is_prerelease: ${{ steps.release_meta.outputs.is_prerelease }}
   make_latest: ${{ steps.release_meta.outputs.make_latest }}
   ref: ${{ github.sha }}
+  has_release_app_secrets: ${{ steps.release_app_secrets.outputs.available }}

 steps:
+  - id: release_app_secrets
+    name: Detect release app secrets
+    shell: bash
+    env:
+      RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }}
+      RELEASE_APP_PRIVATE_KEY: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+    run: |
+      if [[ -n "$RELEASE_APP_ID" && -n "$RELEASE_APP_PRIVATE_KEY" ]]; then
+        echo "available=true" >> "$GITHUB_OUTPUT"
+      else
+        echo "available=false" >> "$GITHUB_OUTPUT"
+      fi

# finalize job
- if: ${{ secrets.RELEASE_APP_ID != '' }}
+ if: ${{ needs.preflight.outputs.has_release_app_secrets == 'true' }}

🧰 Tools

🪛 actionlint (1.7.11)

[error] 280-280: context "secrets" is not allowed here. available contexts are "github", "inputs", "needs", "vars". see https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability for more details

(expression)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 280, The job-level if using secrets is
invalid; create a preflight job (e.g., check-release-secrets) that runs in a
step which inspects both secrets RELEASE_APP_ID and RELEASE_APP_PRIVATE_KEY and
sets a job output like release_creds_set='true' or 'false', then gate the
finalize job using the preflight output (e.g., if:
needs.check-release-secrets.outputs.release_creds_set == 'true') instead of
referencing secrets directly; update the job name referenced in the workflow
from finalize to use needs.check-release-secrets for the conditional.