Using organization secrets in reusable workflows

I imagine a fairly common use case is that organizations have a number of repositories with similar build and test processes. As such, reusable workflow are awesome. Within that, organization has Secrets which get used within said workflows.

Right now, secrets can be explicitly passed to reusable workflows, but that’s the only way to access them. So if we have 20 repositories using the same workflow, and that workflow accesses 7 secrets, then that’s 140 lines that are unnecessary if both repositories are in the same organization.

Am I missing something? Is there a way to do this now? Otherwise, this would be an amazing feature.

5 Likes

Hi - I’m the product manager for reusable workflows.

You’re right; the only way to access organization secrets is explicitly pass them. We designed it this way in order to support the principal of least privilege.

If the secrets you are creating are primarily for cloud credentials, than you find the upcoming feature Secure Cloud Deployments with OpenID Connect to be interesting. This feature will enable you to create a secret in AWS, Azure, GCP, HashiCorp, or other cloud services and then make that secret available to the reusable workflow, regardless of where its called from.

Hi @jenschelkopf!

Thank you for the insight. While that is useful, it doesn’t help with our specific situation. The workflow I’m using right now, for example, has the following secrets:

  • Path on remote server
  • Cloudflare zone
  • Remote server host
  • Remote server user
  • Private SSH key
  • Internal product ID
  • Slack webhook URL

None of these would be able to be exchanged with an OpenID. This workflow is used in ~20 repositories, and all but one secret is an organization secret. That means we have ~120 lines of redundant code, and changing the organization secret name has to be applied in every repo.

One option here would be the ability to allow organization secrets to be accessible to the repository which contains the reusable workflow. Secrets could even be manually selected or full access. This would tackle the issue for us and I suspect many others.

2 Likes