Using environment in workflow_call #25238
-
For some reason I am unable to access environment values (note: I’m not referring to env values) in a workflow_call. Here is my example: script_outer.yml
script_inner.yml
When outer_test runs, I get the following output in the Action runner:
When the inner_test runs I get the following:
The AWS_ACCESS_KEY_ID secret is an environment secret. It is not a repository secret not is it an organization secret. The action runner completes without error and reports success at the end of execution. This is a stripped down example to demonstrate that I am not getting the value I expect to get in “script_inner.yml”. I am not trying to print out the value un-obfuscated. I do have a work around but using GitHub Environments would make our code much cleaner so it is my preferred method of passing these secrets to script_inner.yml. This seems like a bug to me. Is anyone else familiar with this specific scenario? |
Beta Was this translation helpful? Give feedback.
Replies: 7 comments 13 replies
-
I think you have to explicitly pass down the secret to your workflow. So on your workflow call you have something like this.
and you pass it when calling it on the uses
Good luck |
Beta Was this translation helpful? Give feedback.
-
This is correct. Fwiw, it’s documented here:
Reusing workflows - GitHub DocsLearn how to avoid duplication when creating a workflow by reusing existing workflows. |
Beta Was this translation helpful? Give feedback.
-
By the time we get to the call_workflow step in script_outer.yml, the “environment: dev” is already out of scope because it pertained to the outer_test step. So I would need to be able to re-declare the environment in the call_workflow step. This is not possible however. You will receive errors if you try to define an environment in the same step where you are using a uses. This means you can not pass down a secret from the environment to the inner workflow. You can only pass down secrets that are a part of the global scope and not ones that are a part of an “environment” specific scope. |
Beta Was this translation helpful? Give feedback.
-
It sounds like I’m having a similar or maybe the same problem. I can pass secrets down but not environment values even if they’re in the outer scope. e.g. I have something like the following
In my docker-build-and-push.yml I have
However, when it’s run, IMAGE_TAG is blank in the lower workflow. If in the outer workflow I type in an explicit value, it works fine. e.g.
Thanks |
Beta Was this translation helpful? Give feedback.
-
Not the same issue but I have a work around for you. If you have a step before “build” that declares an output, you can use that in the call to docker-build-and-push.yml. Here’s an example:
As a side note, I have had your issue before as well. I’m pretty sure it’s a bug. |
Beta Was this translation helpful? Give feedback.
-
I was finally able to get a solution/clarification from GitHub support. The following example outputs “Match” if you have an environment called TestEnvironment with a secret called TEST_SECRET set to 123 in your repository.
This is what’s happening (and is the intended functionality of GitHub Actions). The last line in the parent script, “TEST_SECRET: ${{ secrets.TEST_SECRET }}” is granting access to the child script to read the value TEST_SECRET. It is not actually passing the value because TEST_SECRET is not in scope at this point in the code and is therefor an empty string. Since it’s being passed in however, when the “environment: TestEnvironment” line is run in the child workflow, it populates that secret with the environment’s value and can be used in the associated steps. |
Beta Was this translation helpful? Give feedback.
-
I am trying to pass env variable
|
Beta Was this translation helpful? Give feedback.
I was finally able to get a solution/clarification from GitHub support. The following example outputs “Match” if you have an environment called TestEnvironment with a secret called TEST_SECRET set to 123 in your repository.