For me, this was only happening when Dependabot was the one who triggered the workflow (Dependabot was the "actor").

Workflows triggered by a Dependabot action are run as if they were in a fork, and don't have access to Organization or Repository secrets: GitHub Actions: Workflows triggered by Dependabot PRs will run with read-only permissions.

So, for now, I will be manually clicking "Merge" on my Dependabot Pull Requests since the next workflow in my CI/CD requires secrets.

See discussion here: GitHub Secrets sometimes empty