Reusable Workflows, Secrets and Environments

Hi! I have been finding reusable workflows a great feature, but I cant manage the make them work with secrets and environment secrets. My workflows essentially has a single deployment.yml file that takes all args needed for a deployment and encapsulates the deployment workflow.

Unfortunately, I could not manage to make it work with Environment secrets. I have tried:

  • Using environment: ${{ input.environment }} in the reusable workflow file and while the environment is correctly detected, the secrets are not no matter what I try.
  • Using environment: this in the reusable workflow caller file. This is simply not supported, actions complains about it.
1 Like

I noticed some issues with setting the env globally inside the reusable workflow. The values I set statically were there but the secrets were coming up empty

name: Reusable Workflow

on:
  workflow_call:
    secrets:
      TOKEN:
        required: true

env:
  STATIC_VALUE: true # populated in job log
  TOKEN: ${{ secrets.TOKEN}} # empty in job

jobs:
  some-job:
    run: echo $TOKEN #empty

I experimented with adding it to the job within the reusable workflow and that seems to work. Seems to be some issue with the available scope of the secret values.

name: Reusable Workflow

on:
  workflow_call:
    secrets:
      TOKEN:
        required: true

jobs:
  some-job:
    run: echo $TOKEN
    env:
      STATIC_VALUE: true # populated
      TOKEN: ${{ secrets.TOKEN}} # populated with secret

It means some duplication of values on jobs which isnt too nice but at least it work.s

3 Likes

. . . +1, same here!

1 Like

I am having this same issue. I can’t figure out how to get Environment secrets withing a reusable workflow.

Hi everyone. I’m the product manager for reusable workflows. We have a bug with passing environment secrets to reusable workflows. We should have it fixed up shortly! I’ll post here when its working.

1 Like

Aaaand it’s fixed :tada:

Here’s what you need to do to reference an environment secret in a reusable workflow:

  • In your calling workflow, pass it with secrets
  • In your called workflow, define it in secrets at the top of the file
  • In your called workflow, and specifically the job where you want to access it, reference the environment (just like normal). Then it will be available as secrets.ENV_SECRET like normal
1 Like

Wow that was fast! I’ll test this first thing Monday!

1 Like

@jenschelkopf - How does the calling workflow get access to the environment specific value without specifying it in the calling yaml? As @pecigonzalo pointed out, a job that uses a reusable workflow doesn’t seem to allow setting environment. So, when the workflow runs, the value of secret.MY_SECRET in the calling workflow is blank and therefore passes blank to the called workflow. Can you share a simple example of two yaml files that use the correct syntax to accomplish this?

I put together a simpler example and it works! Now to go figure out what’s wrong in my more complex yaml.