Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Passing in secrets to reusable workflow does not work without secrets in env #1413

Closed
martin-svanberg-northvolt opened this issue Oct 12, 2021 · 24 comments
Labels
bug Something isn't working

Comments

@martin-svanberg-northvolt

We are trying out Github Actions and have run into a curious issue which we think is a bug. We have configured secrets at the organization level, and are trying to pass those secrets in to a reusable workflow as shown below:

name: example

on:
  pull_request:
    branches:
      - gh-actions

jobs:
  test:
    uses: northvolt/example/.github/workflows/review-common.yml@gh-actions
    secrets:
      password: ${{ secrets.PASSWORD }}

This does not work. password shows up blank in the reusable workflow instead of having the value of the secret.

If we instead add env: ${{ secrets }} to the top-level of the manifest, all of a sudden the secret gets passed in to the workflow. This seems quite counterintuitive since passing in secrets should not be related to the env, and this behavior does not appear to be documented anywhere. In fact, this example of secrets in reusable workflows does not need an env key set at the top-level.

@martin-svanberg-northvolt martin-svanberg-northvolt added the bug Something isn't working label Oct 12, 2021
@cloin
Copy link

cloin commented Oct 27, 2021

Do you have something like this in review-common.yml ?

workflow_call:
    secrets:
      password:
        description: 'needed for login'
        required: false

@martin-svanberg-northvolt
Copy link
Author

martin-svanberg-northvolt commented Oct 27, 2021

We have something that looks like this, rather:

on:
  workflow_call:
    secrets:
      PASSWORD:
        required: true

@cloin
Copy link

cloin commented Oct 27, 2021

I posted about how I got this to work for me over here https://github.saobby.my.eu.orgmunity/t/reusable-workflows-secrets-and-environments/203695/26?u=cloin

@martin-svanberg-northvolt
Copy link
Author

Thanks for the link @cloin!

@bobleujr
Copy link

bobleujr commented Oct 29, 2021

@martin-svanberg-northvolt I also had this behavior trying to use an organization-level secret. It worked with a secret in the repo though. I feel like trying to guess how variables and secrets are organized and rendered across templates & actions is like navigating a sea in the dark. Azure DevOps (which is far from perfect) has A LOT to teach to github actions. If you guys want to give it a push, please comment / +1 this issue actions/toolkit#931

@ericsciple
Copy link
Collaborator

@martin-svanberg-northvolt i tried to reproduce the issue and it seems to be working correctly now.

We rolled out some recent fixes in related code, which perhaps fixed this issue as well :)

@martin-svanberg-northvolt
Copy link
Author

Thanks @ericsciple! Closing this for now. Will reopen if there are further issues.

@param-finder
Copy link

Spent hours on this dreaded issue. CircleCI is so much better when it comes to re-usability. Github Actions lack good documentation and features!

@woutersf
Copy link

woutersf commented Jul 28, 2022

For future me:
secrets:inherit fixed it for me:
In the calling job:

jobs:  
  deploy-tst-custom:
    uses: ./.github/workflows/thejob.yml
    secrets: inherit

*edited typo

@M-Farag
Copy link

M-Farag commented Aug 27, 2022

Yeah (secrets: inherit) did the trick to me.
Just add it to the caller workflow ;)

@rednevals
Copy link

Using secrets: inherit did allow for organization and repository secrets to be passed in, but not environment secrets. These are still unavailable. Anyone having this issue?

@jdjuan
Copy link

jdjuan commented Sep 1, 2022

@rednevals, I found this article, and realized that you can pass the environment name as an input variable, and simply use environment inside the reusable workflow. It worked for me, see the screenshot below:

Bildschirmfoto 2022-09-01 um 13 03 55

@flobernd
Copy link

flobernd commented Sep 1, 2022

Yeah, this is very unintuitive. Found this workaround myself a while ago, but I'm not happy with it. The secrets are passed by the caller and imho the same should be the case for the environment (as it is tightly bound to the secrets). Having to use a workaround like introducing a custom input, just does not feel right.

@rednevals
Copy link

I had opened a support ticket with GitHub and they explained it better... I was passing the environment in, but mistakenly trying to reference the value using "github.event.inputs.env" instead of "inputs.env". Ooops...

@3dfoster
Copy link

3dfoster commented Jan 3, 2023

I posted about how I got this to work for me over here https://github.saobby.my.eu.orgmunity/t/reusable-workflows-secrets-and-environments/203695/26?u=cloin

Link is broken 💔

@cipherbullet
Copy link

Guys,
I'm using nested reusable workflows. Is there anyway to use github secrets without passing them in calling workflow?
I mean I wanna make my calling workflow as simple as possible.

dhellmann added a commit to dhellmann/virtualenvwrapper that referenced this issue Jan 28, 2023
vinayakkulkarni added a commit to vinayakkulkarni/v-kong-dashboard that referenced this issue Feb 23, 2023
https: //github.com/actions/runner/issues/1413#issuecomment-1197936320
Signed-off-by: Vinayak Kulkarni <19776877+vinayakkulkarni@users.noreply.github.com>
@michaelpetri
Copy link

Guys, I'm using nested reusable workflows. Is there anyway to use github secrets without passing them in calling workflow? I mean I wanna make my calling workflow as simple as possible.

From the docs:

Workflows that call reusable workflows in the same organization or enterprise can use the inherit keyword to implicitly pass the secrets.

jobs:
  call-workflow-passing-data:
    uses: octo-org/example-repo/.github/workflows/reusable-workflow.yml@main
    with:
      config-path: .github/labeler.yml
    secrets: inherit

@LucasMMota
Copy link

it looks Github Actions doesn't accept keyword PASSWORD.
I changed my secret in the file from SNOWFLAKE_PASSWORD to SNOWFLAKE_PWD and worked fine

breakchallenge added a commit to breakchallenge/Kong-Dashboard-Nuxt-Frontend that referenced this issue Oct 13, 2023
https: //github.com/actions/runner/issues/1413#issuecomment-1197936320
Signed-off-by: Vinayak Kulkarni <19776877+vinayakkulkarni@users.noreply.github.com>
@MDerrickGlass
Copy link

MDerrickGlass commented Oct 25, 2023

I'm missing something. I have reusable workflows where the secret is only relevant INSIDE the workflow. It seems from all the discussion that it's imperative to define the names of all POTENTIALLY USED secrets in all workflows a caller MAY call in the caller, then use secrets: inherit to pass the whole set to all the called workflows. However, the calling workflow doesn't KNOW what the called workflow may use, it's part of the desired isolation.

How can a reusable workflow simply reference the secrets collection to read/use an organization secret (without passing them in explicitly from the top and funneling them all the way through)? Resort to an API call?

@nullism
Copy link

nullism commented Dec 1, 2023

How can a reusable workflow simply reference the secrets collection to read/use an organization secret (without passing them in explicitly from the top and funneling them all the way through)? Resort to an API call?

We also would like to do this. The caller doesn't know the secret, we simply want it defined on the repo containing the reusable workflow (or action).

@servandorodrigues
Copy link

How can a reusable workflow simply reference the secrets collection to read/use an organization secret (without passing them in explicitly from the top and funneling them all the way through)? Resort to an API call?

We also would like to do this. The caller doesn't know the secret, we simply want it defined on the repo containing the reusable workflow (or action).

Same issue here, my secret is under the called workflow not the one calling.

@42kbit
Copy link

42kbit commented Dec 30, 2023

@rednevals, I found this article, and realized that you can pass the environment name as an input variable, and simply use environment inside the reusable workflow. It worked for me, see the screenshot below:

Bildschirmfoto 2022-09-01 um 13 03 55

Thanks, worked for me.

Without passed environment hack, the actions fails with log:

use_webserver_cd / Deploy to elastic beanstalk
Secret AWS_ACCESS_KEY is required, but not provided while calling.

Here is a snippet of code and what i did to fix it, if someone faces the same problem:

Caller code:

jobs:
  use_webserver_cd:
    uses: ./.github/workflows/webserver_cd_aws_ebs.yaml
    with:
      environment: 'prod'
    secrets: inherit

Reusable workflow

on:
  workflow_call:
    inputs:
      environment:
        required: true
        type: string

jobs:
  deploy:
    name: Deploy to elastic beanstalk
    runs-on: ubuntu-latest
    environment: ${{ inputs.environment }}
    
    steps:
        # ... snip ...
      - name: Authenticate to aws account
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_REGION }}
        # ... snip ...

Full commit files here:
Caller code
Reusable workflow code

@dankellett
Copy link

I was looking to have a step in a job to retrieve secrets from 1password and then pass them into the re-usable workflow. Looks like this doesn't have a clean solution given this gap in functionality.

@adamdicarlo0
Copy link

I posted about how I got this to work for me over here github.community/t/reusable-workflows-secrets-and-environments/203695/26?u=cloin

Dear GitHub: Sure would be nice if that link still worked 🤣😭

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests