one thing that jumps out is the case mismatch. In your yaml file, the secrets are lowercase but in your secrets file, they are uppercase. But otherwise, yes, you can view source to learn more about how it behaves.
secrets are optional by design and it can be valid for a secret to exist for some events (push events) but not exist for other events (pull request) and a step to execute regardless. We do not want to introduce any breaking changes, however, we have considered providing an expanded syntax that is opt-in and could be used to require the secret exists: