Add if condition to OIDC setup step to check secret presence

- Added if condition: secrets.{TOKEN_ENV_VAR} != ''
- Setup step now only runs when the secret exists
- Updated test to verify the if condition is present
- Uses engine-specific token env var (e.g., ANTHROPIC_API_KEY for Claude)

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Author: Copilot

pkg/workflow/openid.go

@@ -99,6 +99,8 @@ func GenerateOIDCSetupStep(oidcConfig *OIDCConfig, engine CodingAgentEngine) Git
 
 	stepLines = append(stepLines, "      - name: Setup OIDC token")
 	stepLines = append(stepLines, "        id: setup_oidc_token")
+	// Only run if the fallback token secret exists (check for non-empty secret)
+	stepLines = append(stepLines, fmt.Sprintf("        if: secrets.%s != ''", engine.GetTokenEnvVarName()))
 	stepLines = append(stepLines, "        uses: actions/github-script@v8")
 	stepLines = append(stepLines, "        env:")
 

pkg/workflow/openid_test.go

@@ -121,6 +121,11 @@ func TestClaudeEngineWithOIDC(t *testing.T) {
 		t.Error("Expected OIDC setup step to be present")
 	}
 
+	// Verify setup step has if condition to check for secret
+	if !strings.Contains(stepsStr, "if: secrets.ANTHROPIC_API_KEY != ''") {
+		t.Error("Expected OIDC setup step to have 'if: secrets.ANTHROPIC_API_KEY != ''' condition")
+	}
+
 	// Verify OIDC revoke step is present
 	if !strings.Contains(stepsStr, "Revoke OIDC token") {
 		t.Error("Expected OIDC revoke step to be present")