diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7a9daaaf8..6de962ddb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -310,26 +310,27 @@ jobs:
     runs-on: ubuntu-latest
     needs: [code-quality, test, rust-tests, performance-test, docker-build, docs]
     if: always()
+    # GitHub Actions does not allow `secrets.X` directly in step-level `if:`
+    # expressions — only `env.X`. Promote the secret to env at job scope so
+    # the gating expression below is parseable.
+    env:
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
     steps:
     - name: Notify Slack on success
-      if: ${{ secrets.SLACK_WEBHOOK_URL != '' && needs.code-quality.result == 'success' && needs.test.result == 'success' && needs.docker-build.result == 'success' }}
+      if: ${{ env.SLACK_WEBHOOK_URL != '' && needs.code-quality.result == 'success' && needs.test.result == 'success' && needs.docker-build.result == 'success' }}
       uses: 8398a7/action-slack@v3
       with:
         status: success
         channel: '#ci-cd'
         text: '✅ CI pipeline completed successfully for ${{ github.ref }}'
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
 
     - name: Notify Slack on failure
-      if: ${{ secrets.SLACK_WEBHOOK_URL != '' && (needs.code-quality.result == 'failure' || needs.test.result == 'failure' || needs.docker-build.result == 'failure') }}
+      if: ${{ env.SLACK_WEBHOOK_URL != '' && (needs.code-quality.result == 'failure' || needs.test.result == 'failure' || needs.docker-build.result == 'failure') }}
       uses: 8398a7/action-slack@v3
       with:
         status: failure
         channel: '#ci-cd'
         text: '❌ CI pipeline failed for ${{ github.ref }}'
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
 
     - name: Create GitHub Release
       if: github.ref == 'refs/heads/main' && needs.docker-build.result == 'success'
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 920e42cbf..b60d275bc 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -377,6 +377,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: [sast, dependency-scan, container-scan, iac-scan, secret-scan, license-scan, compliance-check]
     if: always()
+    # Promote secret to env-scope so the gating `if:` on the Slack-notify
+    # step below is parseable (GitHub Actions rejects `secrets.X` in
+    # step-level `if:` expressions).
+    env:
+      SECURITY_SLACK_WEBHOOK_URL: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL }}
     steps:
     - name: Download all artifacts
       uses: actions/download-artifact@v4
@@ -402,8 +407,11 @@ jobs:
         name: security-summary
         path: security-summary.md
 
+    # GitHub Actions does not allow `secrets.X` in step-level `if:` —
+    # use env.X instead. Inherits SECURITY_SLACK_WEBHOOK_URL from the
+    # job-level env block (added below).
     - name: Notify security team on critical findings
-      if: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL != '' && (needs.sast.result == 'failure' || needs.dependency-scan.result == 'failure' || needs.container-scan.result == 'failure') }}
+      if: ${{ env.SECURITY_SLACK_WEBHOOK_URL != '' && (needs.sast.result == 'failure' || needs.dependency-scan.result == 'failure' || needs.container-scan.result == 'failure') }}
       uses: 8398a7/action-slack@v3
       with:
         status: failure
@@ -415,7 +423,7 @@ jobs:
           Workflow: ${{ github.workflow }}
           Please review the security scan results immediately.
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ env.SECURITY_SLACK_WEBHOOK_URL }}
 
     - name: Create security issue on critical findings
       if: needs.sast.result == 'failure' || needs.dependency-scan.result == 'failure'