I’m trying to pass a GitHub Personal Access Token from a bot user to a reusable workflow, but I can’t get it to work.

Here’s my caller workflow:

name: Process PRs
on:

pull_request:

types:

- opened
jobs:

dependabot-automerge:

uses: relaycorp/shared-workflows/.github/workflows/prs.yml@main

secrets:

githubToken: ${{ secrets.IRELAYBOT_PR_AUTOMATION_GITHUB_PAT }}

My called workflow:

name: Process pull requests
on:
  workflow_call:
    secrets:
      githubToken:
        required: true
jobs:

dependabot:

runs-on: ubuntu-latest

if: ${{ github.actor == 'dependabot[bot]' && github.event.action == 'opened' }}

steps:

- name: Report number of chars in GITHUB_TOKEN

run: echo -n "${GITHUB_TOKEN}" | wc -c

env:

GITHUB_TOKEN: ${{ secrets.githubToken }}

- name: Fetch metadata

id: metadata

uses: dependabot/fetch-metadata@v1.1.1

with:

github-token: ${{ secrets.githubToken }}

- name: Trigger release if dependency is used in production

if: ${{ steps.metadata.outputs.dependency-type == 'direct:production' }}

run: gh pr edit "$PR_URL" --title "${OLD_TITLE/chore/fix}"

env:

OLD_TITLE: ${{ github.event.pull_request.title }}

PR_URL: ${{ github.event.pull_request.html_url }}

GITHUB_TOKEN: ${{ secrets.githubToken }}

- name: Add automerge label

run: gh pr edit "$PR_URL" --add-label "automerge"

env:

PR_URL: ${{ github.event.pull_request.html_url }}

GITHUB_TOKEN: ${{ secrets.githubToken }}

But I get these errors when the action runs because the githubToken secret isn’t set:

Error: github-token is not set! Please add 'github-token: "${{ secrets.GITHUB_TOKEN }}"' to your workflow file

err889×319 27.5 KB

But I’m sure the secret exists and is readable by that repo:

What am I doing wrong? Or is this a bug?

Thanks.