From e3bc1ff8f40dda7224bf23f69135cd8ab1aebbd4 Mon Sep 17 00:00:00 2001
From: chitcommit <208086304+chitcommit@users.noreply.github.com>
Date: Wed, 10 Jun 2026 02:32:32 +0000
Subject: [PATCH] fix(reusable-ci): move secret env to job scope so step if:
 gates work

Step-level env: is materialized too late to be visible in that same step's
if: expression. After #8 unblocked YAML parsing, consumer runs began
hitting startup_failure because the security and ai-review jobs declared
SNYK_TOKEN / ANTHROPIC_API_KEY only at step level while gating the step
with `if: env.X != ''`.

Hoist those env: blocks to job scope (canonical pattern) so the gate
resolves correctly. No behavior change when the secret is present; when
absent, the gated step is skipped instead of failing the run.

Also adds the missing actions/setup-node step to the security job so
`npm audit` has a node toolchain.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/reusable-ci-pipeline.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/reusable-ci-pipeline.yml b/.github/workflows/reusable-ci-pipeline.yml
index f642855..265b795 100644
--- a/.github/workflows/reusable-ci-pipeline.yml
+++ b/.github/workflows/reusable-ci-pipeline.yml
@@ -114,8 +114,15 @@ jobs:
     needs: detect
     if: inputs.run-security
     runs-on: ubuntu-latest
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
     steps:
       - uses: actions/checkout@v4
+      - name: Setup Node.js
+        if: needs.detect.outputs.language == 'node'
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node-version }}
       - name: npm audit
         if: needs.detect.outputs.language == 'node'
         working-directory: ${{ inputs.working-directory }}
@@ -124,8 +131,6 @@ jobs:
         if: env.SNYK_TOKEN != ''
         uses: snyk/actions/node@master
         continue-on-error: true
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   ai-review:
     name: AI Review
@@ -134,13 +139,13 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
+    env:
+      ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
     steps:
       - uses: actions/checkout@v4
       - name: Claude Review
         if: env.ANTHROPIC_API_KEY != ''
         uses: anthropics/claude-code-action@beta
-        env:
-          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           model: "claude-sonnet-4-20250514"