From 8e8601279ad0ac8326b03e0ffc710cca0d0d4c01 Mon Sep 17 00:00:00 2001
From: John Myers <johntmyers@users.noreply.github.com>
Date: Wed, 18 Mar 2026 10:18:28 -0700
Subject: [PATCH] fix(ci): use env context instead of secrets in step-level if
 condition
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The secrets context is not available in step-level if expressions in
GitHub Actions — only in with and env blocks. This caused the workflow
file to be invalid, failing every run with:

  Unrecognized named-value: 'secrets'

Fix by exporting the secret to a job-level env var and checking that
in the step condition instead.
---
 .github/workflows/vouch-check.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/vouch-check.yml b/.github/workflows/vouch-check.yml
index 178512b5..1b58c275 100644
--- a/.github/workflows/vouch-check.yml
+++ b/.github/workflows/vouch-check.yml
@@ -12,10 +12,12 @@ jobs:
   vouch-gate:
     if: github.repository_owner == 'NVIDIA'
     runs-on: ubuntu-latest
+    env:
+      ORG_READ_TOKEN: ${{ secrets.ORG_READ_TOKEN }}
     steps:
       - name: Check org membership
         id: org-check
-        if: ${{ secrets.ORG_READ_TOKEN != '' }}
+        if: env.ORG_READ_TOKEN != ''
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.ORG_READ_TOKEN }}