-
Notifications
You must be signed in to change notification settings - Fork 980
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passing in secrets to reusable workflow does not work without secrets in env #1413
Comments
Do you have something like this in
|
We have something that looks like this, rather: on:
workflow_call:
secrets:
PASSWORD:
required: true |
I posted about how I got this to work for me over here https://github.saobby.my.eu.orgmunity/t/reusable-workflows-secrets-and-environments/203695/26?u=cloin |
Thanks for the link @cloin! |
@martin-svanberg-northvolt I also had this behavior trying to use an organization-level secret. It worked with a secret in the repo though. I feel like trying to guess how variables and secrets are organized and rendered across templates & actions is like navigating a sea in the dark. Azure DevOps (which is far from perfect) has A LOT to teach to github actions. If you guys want to give it a push, please comment / +1 this issue actions/toolkit#931 |
@martin-svanberg-northvolt i tried to reproduce the issue and it seems to be working correctly now. We rolled out some recent fixes in related code, which perhaps fixed this issue as well :) |
Thanks @ericsciple! Closing this for now. Will reopen if there are further issues. |
Spent hours on this dreaded issue. CircleCI is so much better when it comes to re-usability. Github Actions lack good documentation and features! |
For future me:
*edited typo |
Yeah (secrets: inherit) did the trick to me. |
Using secrets: inherit did allow for organization and repository secrets to be passed in, but not environment secrets. These are still unavailable. Anyone having this issue? |
@rednevals, I found this article, and realized that you can pass the environment name as an input variable, and simply use |
Yeah, this is very unintuitive. Found this workaround myself a while ago, but I'm not happy with it. The secrets are passed by the |
I had opened a support ticket with GitHub and they explained it better... I was passing the environment in, but mistakenly trying to reference the value using "github.event.inputs.env" instead of "inputs.env". Ooops... |
Link is broken 💔 |
Guys, |
https: //github.com/actions/runner/issues/1413#issuecomment-1197936320 Signed-off-by: Vinayak Kulkarni <19776877+vinayakkulkarni@users.noreply.github.com>
From the docs: Workflows that call reusable workflows in the same organization or enterprise can use the inherit keyword to implicitly pass the secrets. jobs:
call-workflow-passing-data:
uses: octo-org/example-repo/.github/workflows/reusable-workflow.yml@main
with:
config-path: .github/labeler.yml
secrets: inherit |
it looks Github Actions doesn't accept keyword |
https: //github.com/actions/runner/issues/1413#issuecomment-1197936320 Signed-off-by: Vinayak Kulkarni <19776877+vinayakkulkarni@users.noreply.github.com>
I'm missing something. I have reusable workflows where the secret is only relevant INSIDE the workflow. It seems from all the discussion that it's imperative to define the names of all POTENTIALLY USED secrets in all workflows a caller MAY call in the caller, then use How can a reusable workflow simply reference the |
We also would like to do this. The caller doesn't know the secret, we simply want it defined on the repo containing the reusable workflow (or action). |
Same issue here, my secret is under the called workflow not the one calling. |
Thanks, worked for me. Without passed environment hack, the actions fails with log:
Here is a snippet of code and what i did to fix it, if someone faces the same problem: Caller code: jobs:
use_webserver_cd:
uses: ./.github/workflows/webserver_cd_aws_ebs.yaml
with:
environment: 'prod'
secrets: inherit Reusable workflow on:
workflow_call:
inputs:
environment:
required: true
type: string
jobs:
deploy:
name: Deploy to elastic beanstalk
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
steps:
# ... snip ...
- name: Authenticate to aws account
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
# ... snip ... Full commit files here: |
I was looking to have a step in a job to retrieve secrets from 1password and then pass them into the re-usable workflow. Looks like this doesn't have a clean solution given this gap in functionality. |
Dear GitHub: Sure would be nice if that link still worked 🤣😭 |
We are trying out Github Actions and have run into a curious issue which we think is a bug. We have configured secrets at the organization level, and are trying to pass those secrets in to a reusable workflow as shown below:
This does not work.
password
shows up blank in the reusable workflow instead of having the value of the secret.If we instead add
env: ${{ secrets }}
to the top-level of the manifest, all of a sudden the secret gets passed in to the workflow. This seems quite counterintuitive since passing in secrets should not be related to the env, and this behavior does not appear to be documented anywhere. In fact, this example of secrets in reusable workflows does not need anenv
key set at the top-level.The text was updated successfully, but these errors were encountered: