fix(ci): replace hashFiles() job-level if guards with a detect gate job

rust-ci-reusable.yml and elixir-ci-reusable.yml gated their jobs with
`if: ${{ hashFiles('<manifest>') != '' }}` at the JOB level. hashFiles()
needs a checked-out workspace, which does not exist when a job-level `if:`
is evaluated, so GitHub rejects it at the workflow-startup phase — a
startup_failure that has been red on every push (confirmed: the only two
workflows still failing after the YAML/secrets fixes, and the construct
the rust reusable's own header comment flags as a known failure mode).

Replace with the supported pattern: a tiny `detect` job that checks out,
tests for the manifest (Cargo.toml / mix.exs in inputs.working_directory),
and exposes `has_cargo` / `has_mix` as an output the real jobs gate on via
`needs.detect.outputs.*`. Behaviour is preserved (skip the bundle when the
manifest is absent) without the invalid job-level hashFiles().

Consumers pin these reusables by SHA, so existing callers are unaffected
until they bump their pin.

Author: claude

.github/workflows/elixir-ci-reusable.yml

@@ -98,11 +98,42 @@ permissions:
   contents: read
 
 jobs:
+  # Guard on mix.exs so the wrapper is safe to add unconditionally.
+  #
+  # `hashFiles()` is NOT resolvable in a job-level `if:` (it needs a
+  # checked-out workspace, absent at job-gating time) and using it there
+  # is a GitHub Actions startup_failure. Use a tiny `detect` job that
+  # checks out, tests for the manifest, and exposes the result as an
+  # output the real job gates on.
+  detect:
+    name: Detect mix.exs
+    runs-on: ${{ inputs.runs-on }}
+    permissions:
+      contents: read
+    outputs:
+      has_mix: ${{ steps.detect.outputs.has_mix }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ github.ref }}
+      - name: Detect manifest
+        id: detect
+        working-directory: ${{ inputs.working_directory }}
+        shell: bash
+        run: |
+          if [ -f mix.exs ]; then
+            echo "has_mix=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_mix=false" >> "$GITHUB_OUTPUT"
+          fi
+
   test:
     name: Compile + test
     runs-on: ${{ inputs.runs-on }}
-    # Guard on mix.exs so the wrapper is safe to add unconditionally.
-    if: ${{ hashFiles(format('{0}/mix.exs', inputs.working_directory)) != '' }}
+    needs: detect
+    if: ${{ needs.detect.outputs.has_mix == 'true' }}
     permissions:
       contents: read
     env:

.github/workflows/rust-ci-reusable.yml

@@ -103,10 +103,41 @@ jobs:
   # Skip the whole reusable when the repo has no Cargo.toml — lets
   # consumers add the wrapper unconditionally without worrying about
   # repos that don't ship Rust code at the moment.
+  #
+  # `hashFiles()` is NOT resolvable in a job-level `if:` (it needs a
+  # checked-out workspace, which does not exist at job-gating time) and
+  # using it there is a GitHub Actions startup_failure. The supported
+  # pattern is a tiny `detect` job that checks out, tests for the
+  # manifest, and exposes the result as an output the real jobs gate on.
+  detect:
+    name: Detect Cargo.toml
+    runs-on: ${{ inputs.runs-on }}
+    permissions:
+      contents: read
+    outputs:
+      has_cargo: ${{ steps.detect.outputs.has_cargo }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ github.ref }}
+      - name: Detect manifest
+        id: detect
+        working-directory: ${{ inputs.working_directory }}
+        shell: bash
+        run: |
+          if [ -f Cargo.toml ]; then
+            echo "has_cargo=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "has_cargo=false" >> "$GITHUB_OUTPUT"
+          fi
+
   check:
     name: Cargo check + clippy + fmt
     runs-on: ${{ inputs.runs-on }}
-    if: ${{ hashFiles(format('{0}/Cargo.toml', inputs.working_directory)) != '' }}
+    needs: detect
+    if: ${{ needs.detect.outputs.has_cargo == 'true' }}
     permissions:
       contents: read
     defaults:
@@ -145,8 +176,8 @@ jobs:
   test:
     name: Cargo test
     runs-on: ${{ inputs.runs-on }}
-    needs: check
-    if: ${{ hashFiles(format('{0}/Cargo.toml', inputs.working_directory)) != '' }}
+    needs: [detect, check]
+    if: ${{ needs.detect.outputs.has_cargo == 'true' }}
     permissions:
       contents: read
     defaults:
@@ -184,7 +215,8 @@ jobs:
   audit:
     name: Cargo audit (security)
     runs-on: ${{ inputs.runs-on }}
-    if: ${{ inputs.enable_audit && hashFiles(format('{0}/Cargo.toml', inputs.working_directory)) != '' }}
+    needs: detect
+    if: ${{ inputs.enable_audit && needs.detect.outputs.has_cargo == 'true' }}
     permissions:
       contents: read
     defaults:
@@ -212,7 +244,8 @@ jobs:
   coverage:
     name: Coverage (tarpaulin + codecov)
     runs-on: ${{ inputs.runs-on }}
-    if: ${{ inputs.enable_coverage && hashFiles(format('{0}/Cargo.toml', inputs.working_directory)) != '' }}
+    needs: detect
+    if: ${{ inputs.enable_coverage && needs.detect.outputs.has_cargo == 'true' }}
     permissions:
       contents: read
     defaults: