diff --git a/.github/workflows/if-secrets.yml b/.github/workflows/if-secrets.yml
new file mode 100644
index 0000000..44ae1f9
--- /dev/null
+++ b/.github/workflows/if-secrets.yml
@@ -0,0 +1,47 @@
+on:
+  workflow_dispatch:
+  push:
+
+jobs:
+  job-secret:
+    name: "Jobs can't reference secrets in if"
+    runs-on: ubuntu-latest
+    # Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.EXISTING_SECRET
+    #if: ${{ secrets.EXISTING_SECRET }}
+    steps:
+      - run: "echo Hello"
+
+  job-secret-env:
+    name: "Jobs can't reference env in if"
+    runs-on: ubuntu-latest
+    env:
+      EXISTING_SECRET: ${{ secrets.EXISTING_SECRET }}
+    # Unrecognized named-value: 'env'. Located at position 1 within expression: env.EXISTING_SECRET
+    #if: ${{ env.EXISTING_SECRET }}
+    steps:
+      - run: "echo Hello"
+
+  step-secret:
+    name: "Step secrets: Invalid"
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Steps can't reference secrets"
+        # Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.EXISTING_SECRET
+        #if: ${{ secrets.EXISTING_SECRET }}
+        run: "echo Hello"
+
+  step-secret-env:
+    name: "Steps secrets: Workaround"
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Workaround (true)"
+        if: ${{ env.EXISTING_SECRET }}
+        run: "echo Hello"
+        env:
+          EXISTING_SECRET: ${{ secrets.EXISTING_SECRET }}
+
+      - name: "Workaround (false)"
+        if: ${{ env.EXISTING_SECRET }}
+        run: "echo Hello"
+        env:
+          EXISTING_SECRET: ${{ secrets.NON_EXISTENT_SECRET }}