From 3d7e7d1dfff7cecb23d245ab175edf1da64bde6d Mon Sep 17 00:00:00 2001
From: "privilegedescalation-engineer[bot]"
 <privilegedescalation-engineer[bot]@users.noreply.github.com>
Date: Sat, 21 Mar 2026 00:31:37 +0000
Subject: [PATCH] fix: skip release gracefully when RELEASE_APP_ID is not
 configured
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a check-secrets job that runs before any expensive work. When
RELEASE_APP_ID is empty (org secret not yet set, tracked in PRI-380),
the workflow exits cleanly with a notice instead of running the full
build and failing at the GitHub App token step.

Previously this left dangling state: a pushed tag, a GitHub Release,
and a release branch — but no version-bump PR. Now the workflow skips
all of that and exits clean.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/plugin-release.yaml | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/plugin-release.yaml b/.github/workflows/plugin-release.yaml
index 271ea55..da8e6fc 100644
--- a/.github/workflows/plugin-release.yaml
+++ b/.github/workflows/plugin-release.yaml
@@ -34,12 +34,33 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
+  check-secrets:
+    runs-on: runners-privilegedescalation
+    outputs:
+      ready: ${{ steps.check.outputs.ready }}
+    steps:
+      - name: Verify RELEASE_APP_ID is configured
+        id: check
+        env:
+          RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }}
+        run: |
+          if [ -z "$RELEASE_APP_ID" ]; then
+            echo "::notice::RELEASE_APP_ID org secret is not configured (see PRI-380). Release skipped — no artifacts will be created."
+            echo "ready=false" >> $GITHUB_OUTPUT
+          else
+            echo "ready=true" >> $GITHUB_OUTPUT
+          fi
+
   ci:
+    needs: check-secrets
+    if: needs.check-secrets.outputs.ready == 'true'
     uses: ./.github/workflows/plugin-ci.yaml
     with:
       node-version: ${{ inputs.node-version }}
 
   check-tag:
+    needs: check-secrets
+    if: needs.check-secrets.outputs.ready == 'true'
     runs-on: runners-privilegedescalation
     outputs:
       skip: ${{ steps.check.outputs.skip }}
@@ -58,8 +79,8 @@ jobs:
           fi
 
   release:
-    needs: [ci, check-tag]
-    if: needs.check-tag.outputs.skip != 'true'
+    needs: [ci, check-tag, check-secrets]
+    if: needs.check-secrets.outputs.ready == 'true' && needs.check-tag.outputs.skip != 'true'
     runs-on: runners-privilegedescalation
     timeout-minutes: 10