Can't pass organisation-level secret to reusable workflow

I’m trying to pass a GitHub Personal Access Token from a bot user to a reusable workflow, but I can’t get it to work.

Here’s my caller workflow:

name: Process PRs

on:
  pull_request:
    types:
      - opened

jobs:
  dependabot-automerge:
    uses: relaycorp/shared-workflows/.github/workflows/prs.yml@main
    secrets:
      githubToken: ${{ secrets.IRELAYBOT_PR_AUTOMATION_GITHUB_PAT }}

My called workflow:

name: Process pull requests
on:
  workflow_call:
    secrets:
      githubToken:
        required: true

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' && github.event.action == 'opened' }}
    steps:
      - name: Report number of chars in GITHUB_TOKEN
        run: echo -n "${GITHUB_TOKEN}" | wc -c
        env:
          GITHUB_TOKEN: ${{ secrets.githubToken }}
      - name: Fetch metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.1.1
        with:
          github-token: ${{ secrets.githubToken }}
      - name: Trigger release if dependency is used in production
        if: ${{ steps.metadata.outputs.dependency-type == 'direct:production' }}
        run: gh pr edit "$PR_URL" --title "${OLD_TITLE/chore/fix}"
        env:
          OLD_TITLE: ${{ github.event.pull_request.title }}
          PR_URL: ${{ github.event.pull_request.html_url }}
          GITHUB_TOKEN: ${{ secrets.githubToken }}
      - name: Add automerge label
        run: gh pr edit "$PR_URL" --add-label "automerge"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GITHUB_TOKEN: ${{ secrets.githubToken }}

But I get these errors when the action runs because the githubToken secret isn’t set:

Error: github-token is not set! Please add 'github-token: "${{ secrets.GITHUB_TOKEN }}"' to your workflow file

But I’m sure the secret exists and is readable by that repo:

secret

What am I doing wrong? Or is this a bug?

Thanks.

Does anyone know if this is a bug or I’m doing something wrong?

One issue I see is that you are trying to set GITHUB_TOKEN yourself. You shouldn’t do this because it is automatically set at the beginning of each workflow:

If you want to use your own token, you should use a different variable name.

Sorry, I just got back to working on this issue and noticed I missed the notification for your reply.

I’m not setting GITHUB_TOKEN in the workflow though. I’m setting githubToken, which I then pass to the step as the env var GITHUB_TOKEN.

The problem even persists if I rename the variable:

token

So I don’t think this has something to do with GITHUB_TOKEN – It’s just that the org-level secret isn’t available. But why?

I contacted GitHub support and they found the problem: The secret should’ve been set as a Dependabot secret at the org level… Not a regular secret.

4 Likes