Document how to use secrets with if: conditionals in GitHub Actions workflows (github#12722)

* 🔒 Document how to use secrets with `if:`

github#6861
github#12722

- Add a complete workflow example to `jobs.<job_id>.steps[*].if`,
  demonstrating how to skip a step if a secret is not present
- Add an explanation to "Using encrypted secrets in a workflow"
- Cross-reference the two pages

* 🔒 Compare secrets with empty strings in `if:`

github#6861
github#12722 (comment)

Rather than referencing two secrets:

1. `${{ secrets.SECRET_IS_SET }}`
2. `${{ secrets.SECRET_IS_NOT_SET }}`)

This commit will update the related section of the docs to reference a
single secret (`${{ secrets.SECRET_IS_SET }}`), and will update the
`if:` conditionals to compare with empty strings as suggested.

* 🔒 Add missing `{% raw %}`/`{% endraw %}`

github#6861
github#12722

Some `${{ }}` values were converted to `$` in the preview environment.
Adding `{% raw %}`/`{% endraw %}` will preserve the raw value.

* 🔒 Match variable and secret names in examples

github#6861
github#12722 (comment)

This PR adds an example of how to use secrets with `if:` conditionals.
The reviewer suggested comparing variable values with empty strings to
make the `if:` conditionals clearer.

Commit cecdf00 updated the secret names accordingly, but the names of
the secret and environment variable may still have been confusing.

This commit will update the secret and environment variable names to
match the cross-referenced example on the "Encrypted secrets" page.

* Update content/actions/using-workflows/workflow-syntax-for-github-actions.md

Co-authored-by: hubwriter <[email protected]>

Author: br3ndonland

content/actions/security-guides/encrypted-secrets.md

@@ -227,6 +227,10 @@ steps:
 ```
 {% endraw %}
 
+Secrets cannot be directly referenced in `if:` conditionals. Instead, consider setting secrets as job-level environment variables, then referencing the environment variables to conditionally run steps in the job. For more information, see "[Context availability](/actions/learn-github-actions/contexts#context-availability)" and [`jobs.<job_id>.steps[*].if`](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsif).
+
+If a secret has not been set, the return value of an expression referencing the secret (such as {% raw %}`${{ secrets.SuperSecret }}`{% endraw %} in the example) will be an empty string.
+
 Avoid passing secrets between processes from the command line, whenever possible. Command-line processes may be visible to other users (using the `ps` command) or captured by [security audit events](https://docs.microsoft.com/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing). To help protect secrets, consider using environment variables, `STDIN`, or other mechanisms supported by the target process.
 
 If you must pass secrets within a command line, then enclose them within the proper quoting rules. Secrets often contain special characters that may unintentionally affect your shell. To escape these special characters, use quoting with your environment variables. For example:

content/actions/using-workflows/workflow-syntax-for-github-actions.md

@@ -342,6 +342,31 @@ steps:
     uses: actions/[email protected]
 ```
 
+#### Example: Using secrets
+
+Secrets cannot be directly referenced in `if:` conditionals. Instead, consider setting secrets as job-level environment variables, then referencing the environment variables to conditionally run steps in the job.
+
+If a secret has not been set, the return value of an expression referencing the secret (such as {% raw %}`${{ secrets.SuperSecret }}`{% endraw %} in the example) will be an empty string.
+
+{% raw %}
+```yaml
+name: Run a step if a secret has been set
+on: push
+jobs:
+  my-jobname:
+    runs-on: ubuntu-latest
+    env:
+      super_secret: ${{ secrets.SuperSecret }}
+    steps:
+      - if: ${{ env.super_secret != '' }}
+        run: echo 'This step will only run if the secret has a value set.'
+      - if: ${{ env.super_secret == '' }}
+        run: echo 'This step will only run if the secret does not have a value set.'
+```
+{% endraw %}
+
+For more information, see "[Context availability](/actions/learn-github-actions/contexts#context-availability)" and "[Encrypted secrets](/actions/security-guides/encrypted-secrets)."
+
 ### `jobs.<job_id>.steps[*].name`
 
 A name for your step to display on {% data variables.product.prodname_dotcom %}.