diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1182191f..69fd8f83 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -121,6 +121,8 @@ jobs:
           name: darwin+aarch64
         - os: [self-hosted, linux, ARM64]
           name: linux+aarch64
+    outputs:
+      HAS_SECRETS: ${{ secrets.AWS_S3_CACHE != '' }}
     container: ${{ matrix.platform.container }}
     steps:
       - uses: actions/checkout@v3
@@ -156,7 +158,7 @@ jobs:
   stage:
     needs: [test]
     # this only works for PRs from our team to our repo (security! :( )
-    if: startsWith(github.ref, 'refs/pull/') && startsWith(github.repository, 'teaxyz/pantry.') && secrets.AWS_S3_CACHE != ''
+    if: startsWith(github.ref, 'refs/pull/') && startsWith(github.repository, 'teaxyz/pantry.') && needs.test.outputs.HAS_SECRETS
     runs-on: ubuntu-latest
     strategy:
       matrix:
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 11dbab77..6e9c8bcf 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -7,6 +7,8 @@ on:
 jobs:
   cd:
     runs-on: ubuntu-latest
+    outputs:
+      HAS_SECRETS: ${{ secrets.AWS_S3_CACHE != '' }}
     steps:
       - uses: actions/checkout@v3
       - run: >
@@ -16,13 +18,15 @@ jobs:
           curl https://app.tea.xyz/api/receiveWatcherProjects --fail -X PUT \
             -H "content-type: application/json" -H "authorization: bearer ${{ secrets.TEA_API_TOKEN }}" -d @-
   bottle-pr:
+    needs: [cd]
     #FIXME: will fail (harmlessly) on non-merge/non-new-version runs, and won't work on 3rd-party PRs
-    if: ${{ secrets.AWS_S3_CACHE != '' }}
+    if: needs.cd.outputs.HAS_SECRETS
     uses: ./.github/workflows/bottle.yml
     secrets: inherit
   bottle-standalone:
     runs-on: ubuntu-latest
-    if: ${{ secrets.AWS_S3_CACHE == '' }}
+    needs: [cd]
+    if: ! needs.cd.outputs.HAS_SECRETS
     steps:
       - uses: actions/checkout@v3
       - uses: technote-space/get-diff-action@v6