fix: guard catalog refresh workflow

Move the secret into job env.
Stop referencing secrets directly in step if conditions.
Add CI checks for workflow guard regressions.

Author: johnbenac

.github/workflows/ci.yml

@@ -13,7 +13,9 @@ jobs:
       - uses: actions/checkout@v4
       - uses: rhysd/actionlint@v1.7.11
       - name: Validate script syntax
-        run: bash -n scripts/check-apps-manifest.sh scripts/check-app-builds.sh
+        run: bash -n scripts/check-apps-manifest.sh scripts/check-app-builds.sh scripts/check-workflow-guards.sh
+      - name: Validate workflow guards
+        run: bash scripts/check-workflow-guards.sh
       - name: Validate manifest and source layout
         run: bash scripts/check-apps-manifest.sh
       - name: Build application images

.github/workflows/publish-images.yml

@@ -101,11 +101,11 @@ jobs:
   refresh-catalogs:
     needs: publish
     runs-on: ubuntu-latest
+    env:
+      CATALOG_REFRESH_TOKEN: ${{ secrets.CATALOG_REFRESH_TOKEN }}
     steps:
       - name: Trigger downstream catalog refresh
-        if: ${{ secrets.CATALOG_REFRESH_TOKEN != '' }}
-        env:
-          CATALOG_REFRESH_TOKEN: ${{ secrets.CATALOG_REFRESH_TOKEN }}
+        if: ${{ env.CATALOG_REFRESH_TOKEN != '' }}
         run: |
           set -euo pipefail
           for repo in sw-ourbox-catalog-demo; do

scripts/check-workflow-guards.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+matches="$(grep -RInE '^[[:space:]]*if:.*\bsecrets\.' "${ROOT}/.github/workflows" || true)"
+if [[ -n "${matches}" ]]; then
+  echo "workflow if conditions must not reference secrets.* directly" >&2
+  echo "${matches}" >&2
+  exit 1
+fi
+
+echo "Workflow guard checks passed."