How to keep secrets inside a reusable workflow?

I am wondering how can I avoid having to set secrets in tens of repositories from multiple organizations that are calling one reusable workflow.

Mainly I just want to set the secrets inside the repository hosting the reusable workflow and not having to pass secrets when I call it. Obviously that this requires some kind of whilelisting of those allowed to call this workflow, otherwise anyone would be able to abuse it.

The use-case is very simple: posting a message for irc/matrix/slack/twitter. You do not want to configure secrets for each repository but you want to allow them to notify about new releases.

If we are expected to copy/paste secrets to tens if not hundreds of repositories in order to make it work it would effectively neuter the reusability part of them.

Multiple repositories within a single organization can be solved with organization secrets.

To the best of my knowledge, there isn’t any reasonable way to solve the secrets scenario for multiple repositories that do not belong to a single organization (or user). I guess you might be able to use something like Hashicorp Vault to reduce some of the copy & paste burdens; effectively just needing to share the access credentials for a vault of secrets. But other than that, I’m not able to envision how this could be solved in any other way while ensuring the secrets are safe.

1 Like