Using environment in workflow_call #25238

jasoncarteref · 2022-01-10T16:39:50Z

jasoncarteref
Jan 10, 2022

For some reason I am unable to access environment values (note: I’m not referring to env values) in a workflow_call. Here is my example:

script_outer.yml

jobs:
  outer_test:
    name: Outer test
    environment: dev
    runs-on: ubuntu-latest
    steps:
      - name: Outer Environment Test
        run: |
          echo "secrets: ${{ secrets.AWS_ACCESS_KEY_ID }}"
call_workflow:

name: Call Workflow

uses: [my repo]/.github/workflows/script_inner.yml@[SHA]

script_inner.yml

on: 
  workflow_call
jobs:

inner_test:

name: Inner test

environment: dev

runs-on: ubuntu-latest

steps:

- name: Inner Environment Test

run: |

echo "secrets: ${{ secrets.AWS_ACCESS_KEY_ID }}"

When outer_test runs, I get the following output in the Action runner:

secrets: ***

When the inner_test runs I get the following:

secrets:

The AWS_ACCESS_KEY_ID secret is an environment secret. It is not a repository secret not is it an organization secret. The action runner completes without error and reports success at the end of execution.

This is a stripped down example to demonstrate that I am not getting the value I expect to get in “script_inner.yml”. I am not trying to print out the value un-obfuscated. I do have a work around but using GitHub Environments would make our code much cleaner so it is my preferred method of passing these secrets to script_inner.yml. This seems like a bug to me. Is anyone else familiar with this specific scenario?

Answered by jasoncarteref

Mar 28, 2022

I was finally able to get a solution/clarification from GitHub support. The following example outputs “Match” if you have an environment called TestEnvironment with a secret called TEST_SECRET set to 123 in your repository.

name: Test Parent
on: push
jobs:
  Job1:
    uses: ./.github/workflows/test_child.yml
    secrets:
      TEST_SECRET: ${{ secrets.TEST_SECRET }}

name: Test Child
on: 
  workflow_call:
    secrets:
      TEST_SECRET:
        required: true
jobs:
  Job1:
    runs-on: ubuntu-latest
    environment: TestEnvironment
    steps:
      - name: Step 1
        run: |
          if [ "${{ secrets.TEST_SECRET }}" == "123" ]; then
            echo "Match"
          else
           …

View full answer

deanro · 2022-01-23T01:42:41Z

deanro
Jan 23, 2022

I think you have to explicitly pass down the secret to your workflow. So on your workflow call you have something like this.

on:
  workflow_call:
    secrets:
      AWS_ACCESS_KEY_ID:
        required: true

and you pass it when calling it on the uses

uses: .......
    secrets:
      AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}

Good luck
Dean.

0 replies

jsoref · 2022-01-23T07:45:07Z

jsoref
Jan 23, 2022

This is correct.

Fwiw, it’s documented here:

  <a href="https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow" target="_blank" rel="noopener nofollow ugc">GitHub Docs</a>

Reusing workflows - GitHub Docs

Learn how to avoid duplication when creating a workflow by reusing existing workflows.

0 replies

jasoncarteref · 2022-01-24T14:52:25Z

jasoncarteref
Jan 24, 2022
Author

By the time we get to the call_workflow step in script_outer.yml, the “environment: dev” is already out of scope because it pertained to the outer_test step. So I would need to be able to re-declare the environment in the call_workflow step. This is not possible however. You will receive errors if you try to define an environment in the same step where you are using a uses. This means you can not pass down a secret from the environment to the inner workflow. You can only pass down secrets that are a part of the global scope and not ones that are a part of an “environment” specific scope.

0 replies

deanro · 2022-01-24T18:52:36Z

deanro
Jan 24, 2022

It sounds like I’m having a similar or maybe the same problem. I can pass secrets down but not environment values even if they’re in the outer scope.

e.g. I have something like the following

name: CI/CD
env:

TAG_NAME: latest

on:

...
jobs:

build:

uses: <owner>/<repo>/.github/workflows/docker-build-and-push.yml@v1

with:

IMAGE_TAG: $TAG_NAME

In my docker-build-and-push.yml I have

on:
  workflow_call:
    inputs:
      IMAGE_TAG:
        required: true
        type: string

However, when it’s run, IMAGE_TAG is blank in the lower workflow.

If in the outer workflow I type in an explicit value, it works fine.

e.g.

  deploy:
    uses: <owner>/<repo>/.github/workflows/docker-build-and-push.yml@v1
    with:
      IMAGE_TAG: latest

Thanks
Dean.

0 replies

jasoncarteref · 2022-01-26T20:09:44Z

jasoncarteref
Jan 26, 2022
Author

Not the same issue but I have a work around for you. If you have a step before “build” that declares an output, you can use that in the call to docker-build-and-push.yml. Here’s an example:

on:
  push:
    branches-ignore:
      - qa
      - prod
jobs:

setup_vars:

runs-on: ubuntu-latest

steps:

- name: Setup shared variables

id: env_vars

run: echo "Variables set"

outputs:

TagBuild: ${{ !contains(github.ref, 'feature/') }}
tag_repo:

needs:

- setup_vars

uses: my_inner_workflow.yml@v1

with:

do_tag: ${{ needs.setup_vars.outputs.TagBuild }}

As a side note, I have had your issue before as well. I’m pretty sure it’s a bug.

0 replies

jasoncarteref · 2022-03-28T15:50:15Z

jasoncarteref
Mar 28, 2022
Author

I was finally able to get a solution/clarification from GitHub support. The following example outputs “Match” if you have an environment called TestEnvironment with a secret called TEST_SECRET set to 123 in your repository.

name: Test Parent
on: push
jobs:
  Job1:
    uses: ./.github/workflows/test_child.yml
    secrets:
      TEST_SECRET: ${{ secrets.TEST_SECRET }}

name: Test Child
on: 
  workflow_call:
    secrets:
      TEST_SECRET:
        required: true
jobs:
  Job1:
    runs-on: ubuntu-latest
    environment: TestEnvironment
    steps:
      - name: Step 1
        run: |
          if [ "${{ secrets.TEST_SECRET }}" == "123" ]; then
            echo "Match"
          else
            echo "Not matched"
          fi

This is what’s happening (and is the intended functionality of GitHub Actions). The last line in the parent script, “TEST_SECRET: ${{ secrets.TEST_SECRET }}” is granting access to the child script to read the value TEST_SECRET. It is not actually passing the value because TEST_SECRET is not in scope at this point in the code and is therefor an empty string. Since it’s being passed in however, when the “environment: TestEnvironment” line is run in the child workflow, it populates that secret with the environment’s value and can be used in the associated steps.

13 replies

tleerai Jan 2, 2023

I've been using the environment passed as a variable for a couple weeks now, no problems. So if that was a limitation, that has been resolved it seems.

hcastrofactored Feb 9, 2023

@jasoncarteref did you find a workaround for this?

-- @tleerai are you passing the environment as secret? or are you hardcoding the env name from the caller? wouldn't that defeat the point of having environments? Am I missing something?

Thanks, both, any help would be much appreciate it

tleerai Feb 10, 2023

I hard code the environment name in my calling file, but my calling file is environment specific.

Trying to use a single file for multiple environments introduces a rats nest of conditionals that should only be attempted if you're trying to maintain many environments, like say you have six or eight because you've got internal/external of each.

In those cases, I cannot say if using a variable works, I'd imagine it does though.

Generally speaking, I've learned that having a separate environment file, which has very limited code duplication, eases the troubleshooting errors that can crop up randomly due to conditional statements related to environments.

mariusfilipowski Apr 6, 2023

I had to change it a litte to let it work:

on: 
  workflow_call:
    secrets:
...
    inputs:
      environment:
        required: true
        type: string
jobs:

Then it worked wonderfully for me. Now I can write reusable workflows that can target different environments.
Thanks for the example

gilfthde May 26, 2023

Did anyone make this workaround work with environment variables?

aseem-heg · 2022-12-29T04:54:52Z

aseem-heg
Dec 29, 2022

I am trying to pass env variable ECR_REPOSITORY_NAME to a workflow but it doesnt work
I declare env variable in the same file

name: Create PR db on pull request
on:
 pull_request:

env:
 ECR_REPOSITORY_NAME: data-engineering/data-warehouse
 BRANCH_NAME: ${{ github.head_ref || github.ref_name }}

jobs:

 Build-Docker-image:
   name: Build docker image on GHA and upload to ECR and GHA artifact store
   uses: ./.github/workflows/build_docker_image.yml
   with:
     ECR_REPOSITORY: ${{ env.ECR_REPOSITORY_NAME }} # doesnt work
     IMAGE_TAG: ${{ github.sha }}

with:
   X: ${{ github.sha}}  # works

with:
   X: ${{ env.xyz}}  # NOT work
   X: $xyz  # NOT work

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Using environment in workflow_call #25238

{{title}}

Replies: 7 comments 13 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Using environment in workflow_call #25238

Replies: 7 comments · 13 replies

jasoncarteref Jan 24, 2022 Author

jasoncarteref Jan 26, 2022 Author

jasoncarteref Mar 28, 2022 Author

Replies: 7 comments 13 replies

jasoncarteref
Jan 24, 2022
Author

jasoncarteref
Jan 26, 2022
Author

jasoncarteref
Mar 28, 2022
Author