From b06acf06e28bd6f1526762592bfebe6f461ce4a6 Mon Sep 17 00:00:00 2001
From: Vahid Ahmadi <va.vahidahmadi@gmail.com>
Date: Tue, 17 Mar 2026 18:10:16 +0000
Subject: [PATCH] Fix invalid secrets reference in versioning workflow

Secrets cannot be used directly in step-level `if` expressions in
GitHub Actions. Use an env var with a shell conditional instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/versioning.yaml                  | 10 +++++++---
 changelog.d/fix-versioning-secrets-syntax.fixed.md |  1 +
 2 files changed, 8 insertions(+), 3 deletions(-)
 create mode 100644 changelog.d/fix-versioning-secrets-syntax.fixed.md

diff --git a/.github/workflows/versioning.yaml b/.github/workflows/versioning.yaml
index d84e7ae3c..839251860 100644
--- a/.github/workflows/versioning.yaml
+++ b/.github/workflows/versioning.yaml
@@ -79,7 +79,11 @@ jobs:
           password: ${{ secrets.PYPI }}
           skip_existing: true
       - name: Update API
-        if: ${{ secrets.POLICYENGINE_GITHUB != '' }}
-        run: python .github/update_api.py
+        run: |
+          if [ -n "$CROSS_REPO_TOKEN" ]; then
+            GITHUB_TOKEN="$CROSS_REPO_TOKEN" python .github/update_api.py
+          else
+            echo "Skipping cross-repo API update (POLICYENGINE_GITHUB secret not set)"
+          fi
         env:
-          GITHUB_TOKEN: ${{ secrets.POLICYENGINE_GITHUB }}
+          CROSS_REPO_TOKEN: ${{ secrets.POLICYENGINE_GITHUB }}
diff --git a/changelog.d/fix-versioning-secrets-syntax.fixed.md b/changelog.d/fix-versioning-secrets-syntax.fixed.md
new file mode 100644
index 000000000..f02a9f992
--- /dev/null
+++ b/changelog.d/fix-versioning-secrets-syntax.fixed.md
@@ -0,0 +1 @@
+Fixed invalid `secrets` reference in versioning workflow step condition that prevented the workflow from running.
\ No newline at end of file