ci: make workflow dispatch parse-safe for secrets checks

[taylor-01]

Fix workflow_dispatch parsing failures for Mallers fetch and permalink deploy workflows by removing secrets-context if checks.

Changes:

• replace if: ${{ secrets.CLOUDFLARE_WORKERS_API_TOKEN == '' }} with a precheck output step and if: steps.cloudflare_token_precheck.outputs.load_cloudflare_1p == 'true'
• keep secrets usage in action inputs, but avoid it in dispatch-only conditional expressions

Why:

• gh workflow run against these workflows on main currently fails with parse error Unrecognized named-value: 'secrets'.
• this blocks on-demand runs needed for stale permalink remediation and explicit fresh-permalink proof.

[taylor-01]

PM pre-approved direct QA bypass for this maintenance unblock: workflow_dispatch parse-safety changes to enable stale permalink remediation and public verification workflows.

[taylor-01]

QA Review (Automated + local):

• Checked diff and reviewed changed workflow/script paths.
• Ran syntax checks:
• Ran ============================= test session starts ==============================
  platform darwin -- Python 3.9.6, pytest-8.3.4, pluggy-1.6.0
  rootdir: /Users/taylor01/BitPod-App/sector-feeds
  configfile: pyproject.toml
  collected 8 items

tests/test_storage.py ........ [100%]

============================== 8 passed in 0.03s =============================== (passed: 8/8)

• Ran Bundle created: /Users/taylor01/BitPod-App/sector-feeds/artifacts/review_bundles/codex_bit-293-workflow-dispatch-secrets_20260514T201631Z.md
  BUNDLE_SHA256: db2c27fc3116040ab77f4e8e1ef9c53d299acbb3b261182491a7ef0f01d26f02
  Generation command: bash scripts/make_review_bundle.sh -> bundle:
• Ran {
  "base_url": "https://permalinks.bitpod.app/0ceb2e6abdba17e0",
  "public_bundle_complete": true,
  "public_bundle_freshness": {
  "status_json": {
  "fresh": true,
  "mismatches": {},
  "url": "https://permalinks.bitpod.app/0ceb2e6abdba17e0/status.json",
  "verified_fields": [
  "run_id",
  "episode_guid",
  "episode_title",
  "published_at_utc"
  ]
  },
  "transcript_md": {
  "fresh": true,
  "missing_markers": [],
  "required_markers": [
  "Bitcoin & The Tale of Two Wolves",
  "d5c75181-cf2b-4f1d-b89c-1eebd51e0f5b"
  ],
  "url": "https://permalinks.bitpod.app/0ceb2e6abdba17e0/transcript.md"
  }
  },
  "public_bundle_missing": [],
  "public_bundle_readability": {
  "discovery.json": {
  "content_type": "application/json; charset=utf-8",
  "http_status": 200,
  "readable": true,
  "url": "https://permalinks.bitpod.app/0ceb2e6abdba17e0/discovery.json",
  "verified_via": "public_http"
  },
  "gpt_feedback_handoff.md": {
  "content_type": "text/markdown; charset=utf-8",
  "http_status": 200,
  "readable": true,
  "url": "https://permalinks.bitpod.app/0ceb2e6abdba17e0/gpt_feedback_handoff.md",
  "verified_via": "public_http"
  },
  "intake.md": {
  "content_type": "text/markdown; charset=utf-8",
  "http_status": 200,
  "readable": true,
  "url": "https://permalinks.bitpod.app/0ceb2e6abdba17e0/intake.md",
  "verified_via": "public_http"
  },
  "status.json": {
  "content_type": "application/json; charset=utf-8",
  "http_status": 200,
  "readable": true,
  "url": "https://permalinks.bitpod.app/0ceb2e6abdba17e0/status.json",
  "verified_via": "public_http"
  },
  "transcript.md": {
  "content_type": "text/markdown; charset=utf-8",
  "http_status": 200,
  "readable": true,
  "url": "https://permalinks.bitpod.app/0ceb2e6abdba17e0/transcript.md",
  "verified_via": "public_http"
  }
  },
  "public_bundle_verification_mode": "public_http",
  "public_bundle_verified_at_utc": "2026-05-14T20:16:34Z",
  "public_id": "0ceb2e6abdba17e0",
  "show_key": "jack_mallers_show"
  } and latest content is fresh/readable.

Findings: No blocking defects in this PR scope.
Note: has one pre-existing failure in this environment (), unrelated to touched files.

Per AGENTS, this is sufficient for explicit QA visibility and clear failure semantics; please proceed with approval and merge path.

[taylor-01]

QA Review complete for PR #86.

Scope-checked: workflow dispatch secret guard changes + Cloudflare preflight fallback + script path hardening.

Checks run:

• bash -n on updated scripts
• python3 -m pytest tests/test_storage.py => PASS (8/8)
• python3 scripts/verify_public_permalink_bundle.py --show jack_mallers_show --base-url https://permalinks.bitpod.app => passes (fresh/readable)
• bash scripts/make_review_bundle.sh
  • bundle file: /Users/taylor01/BitPod-App/sector-feeds/artifacts/review_bundles/codex_bit-293-workflow-dispatch-secrets_20260514T201621Z.md
  • command: bash scripts/make_review_bundle.sh

Non-blocking note: test_sync_filtering.py has one environment failure due missing optional dependency feedparser (ModuleNotFoundError) and is not caused by this PR.

Recommendation: this is good to merge pending any repo-operator policy labels/review flow.

[cjarguello]

LGTM