fix(ci): scope Doppler token to secret fetch steps

[chaliy]

Motivation

• Workflows placed DOPPLER_TOKEN in top-level env, exposing the secret to pnpm install, builds, tests and example runs.
• Limit secret exposure to only the trusted steps that need it (Doppler CLI / secret-fetch) to prevent exfiltration via lifecycle scripts or PR-controlled JS code.

Description

• Removed workflow-level DOPPLER_TOKEN from .github/workflows/js.yml and .github/workflows/publish-js.yml.
• Added a lightweight detection step (id: doppler) that sets steps.doppler.outputs.available without placing the token into the global process env.
• Scoped DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }} only on the Doppler CLI install and AI example secret-fetch steps so npm installs, builds and tests no longer inherit the secret.

Testing

• Ran a Python static check to confirm no top-level DOPPLER_TOKEN remains and that scoped DOPPLER_TOKEN entries appear only on Doppler steps (python3 script). (passed)
• Parsed both edited workflow files with Ruby YAML loader to validate syntax (ruby -e 'require "yaml"; ...'). (passed)
• Linted workflows with actionlint after edits to ensure workflow correctness. (passed)

---

Codex Task

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	bashkit	b0b1022	Commit Preview URL	Jun 02 2026, 09:27 AM