From e21fe11cd75f4a4295ea7f654d6fb9e34fb267e8 Mon Sep 17 00:00:00 2001
From: samuelho-dev <samuelho343@gmail.com>
Date: Tue, 3 Feb 2026 21:23:50 -0800
Subject: [PATCH] fix(helm-publish): fix secrets reference in if condition

GitHub Actions doesn't allow direct secrets references in `if:` conditions
for reusable workflows. Move the secret access to an environment variable
and check it at runtime instead.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/helm-publish.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/helm-publish.yml b/.github/workflows/helm-publish.yml
index 29ac0ea..b173634 100644
--- a/.github/workflows/helm-publish.yml
+++ b/.github/workflows/helm-publish.yml
@@ -171,10 +171,16 @@ jobs:
           helm provenance "$CHART_FILE" || echo "⚠️  Provenance generation failed (GPG key may not be configured)"
 
       - name: Import GPG key
-        if: inputs.sign-chart && secrets.gpg-private-key != ''
+        if: inputs.sign-chart
+        env:
+          GPG_KEY: ${{ secrets.gpg-private-key }}
         run: |
-          echo "${{ secrets.gpg-private-key }}" | gpg --batch --import
-          gpg --list-secret-keys
+          if [ -n "$GPG_KEY" ]; then
+            echo "$GPG_KEY" | gpg --batch --import
+            gpg --list-secret-keys
+          else
+            echo "⚠️  No GPG key provided, skipping import"
+          fi
 
       - name: Log in to primary registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0