fix: skip release gracefully when RELEASE_APP_ID is not configured

Adds a check-secrets job that runs before any expensive work. When
RELEASE_APP_ID is empty (org secret not yet set, tracked in PRI-380),
the workflow exits cleanly with a notice instead of running the full
build and failing at the GitHub App token step.

Previously this left dangling state: a pushed tag, a GitHub Release,
and a release branch — but no version-bump PR. Now the workflow skips
all of that and exits clean.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.github/workflows/plugin-release.yaml

@@ -34,12 +34,33 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
+  check-secrets:
+    runs-on: runners-privilegedescalation
+    outputs:
+      ready: ${{ steps.check.outputs.ready }}
+    steps:
+      - name: Verify RELEASE_APP_ID is configured
+        id: check
+        env:
+          RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }}
+        run: |
+          if [ -z "$RELEASE_APP_ID" ]; then
+            echo "::notice::RELEASE_APP_ID org secret is not configured (see PRI-380). Release skipped — no artifacts will be created."
+            echo "ready=false" >> $GITHUB_OUTPUT
+          else
+            echo "ready=true" >> $GITHUB_OUTPUT
+          fi
+
   ci:
+    needs: check-secrets
+    if: needs.check-secrets.outputs.ready == 'true'
     uses: ./.github/workflows/plugin-ci.yaml
     with:
       node-version: ${{ inputs.node-version }}
 
   check-tag:
+    needs: check-secrets
+    if: needs.check-secrets.outputs.ready == 'true'
     runs-on: runners-privilegedescalation
     outputs:
       skip: ${{ steps.check.outputs.skip }}
@@ -58,8 +79,8 @@ jobs:
           fi
 
   release:
-    needs: [ci, check-tag]
-    if: needs.check-tag.outputs.skip != 'true'
+    needs: [ci, check-tag, check-secrets]
+    if: needs.check-secrets.outputs.ready == 'true' && needs.check-tag.outputs.skip != 'true'
     runs-on: runners-privilegedescalation
     timeout-minutes: 10