I am trying to pass a dynamic secret to a reusable workflow

  provision-new-instance-type:
    name: 'Provision new instance type node pool'
    uses: ./.github/workflows/update_node_pool.yaml
    with:
      oldNodePoolName: ${{ github.event.inputs.oldNodePoolName }}
      newNodePoolInstanceType: ${{ github.event.inputs.newNodePoolInstanceType }}
      newNodePoolName: ${{ github.event.inputs.newNodePoolName }}
      tfVarFile: ${{ github.event.inputs.tfVarFile }}
      environment: ${{ github.event.inputs.environment }}
    secrets:
      WIP_PROVIDER: ${{ secrets[format('{0}', needs.settings.outputs.wipId)] }}
      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}

The WIP_PROVIDER in the called workflow never resolves:

    - id: 'auth'
      name: 'Authenticate to Google Cloud'
      uses: 'google-github-actions/auth@v0'
      with:
        workload_identity_provider: ${{ (secrets.WIP_PROVIDER || secrets[format('{0}', steps.figureGcpProject.outputs.wipId)]) }}
        service_account: ${{ steps.figureGcpProject.outputs.serviceAccount }}

Is it not possible to do this type of substitution for shared workflows?

Resolved by setting

needs: settings

But this shouldn’t be required as the needs in the job should register the dependency rite?

As far as I understand the workflow syntax, each job is standalone unless otherwise specified by the outputs of a previous job and the needs of the next job.

Rite. So I’d figure the needs that I show with WIP_PROVIDER: ${{ secrets[format('{0}', needs.settings.outputs.wipId)] }} would automatically infer the dependency between the first job and the second and not require me to explicitly state needs:<job> in the job template but it seems like this is the case. This just seems redundant to me.