Private/Get-SecretsEnvBlock.ps1

function Get-SecretsEnvBlock {
    <#
    .SYNOPSIS
        Generate a job-level env: block mapping GitHub secrets to environment variables.
    .DESCRIPTION
        Reads the ci.secrets array from .powercraft/release.json and renders a YAML
        env: block suitable for insertion at job level in a GitHub Actions workflow.

        If no secrets are configured, returns an empty string (no env block rendered).
    .PARAMETER Config
        The PSCustomObject returned by Read-PCReleaseConfig.
    .OUTPUTS
        [string] A YAML env block (indented for job level) or empty string.
    #>

    [CmdletBinding()]
    [OutputType([string])]
    param(
        [Parameter(Mandatory)]
        [PSCustomObject]$Config
    )

    if (-not $Config.ci.secrets -or $Config.ci.secrets.Count -eq 0) {
        return ''
    }

    $lines = @(' env:')
    foreach ($secret in $Config.ci.secrets) {
        $lines += " $secret`: `${{ secrets.$secret }}"
    }

    # Return with leading newline so it slots cleanly after runs-on line
    "`n" + ($lines -join "`n")
}