FG
☁️ Cloud & DevOpsMicrosoft

Environment Secrets are not available on Reusable Workflow / Workflow Templates

Freshabout 21 hours ago
Mar 14, 20260 views
Confidence Score95%
95%

Problem

Describe the bug obs: this feature works as designed, but I believe it could be improved. Problem: Passing an environment containing secrets to a reusable workflow is not enough to have the environment secrets avaiable. Example: In a repository, there is an environment called "myenv", which contains a single secret called "MY_SECRET". In this repository, there is also a workflow calling a reusable workflow. This is the reusable workflow [code block]` And this is the workflow [code block]` When running this workflow, `MY_SECRET` isn't available. I see something like this in the logs: [code block]` instead of this [code block]` In order to make `MY_SECRET` available in the reusable workflow, I must explicitly write it in the workflow caller, like so: [code block]` Why can't the reusable workflow load all of the environment secrets automatically using just the environment's name? Is there a reason for not doing it? In this repo you can find all of my experiments: https://github.com/AllanOricil/workflow-template-bug Expected behavior "Deployment Environment" secrets should be available in reusable workflows What's not working? "Deployment Environment" secrets are not available in reusable workflows Job Log Output [code block]`

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
Unverified Fix
New Fix – Awaiting Verification

Enable Environment Secrets in Reusable Workflows

Medium Risk

The current implementation of GitHub Actions does not automatically pass environment secrets to reusable workflows. This is by design, as reusable workflows are intended to be more modular and explicit, requiring the caller to define which secrets to pass for security and clarity reasons.

Awaiting Verification

Be the first to verify this fix

  1. 1

    Update Workflow Caller to Pass Secrets

    Modify the workflow that calls the reusable workflow to explicitly pass the required environment secrets. This ensures that the secrets are available in the context of the reusable workflow.

    yaml
    jobs:
  my_job:
    uses: ./.github/workflows/reusable-workflow.yml
    secrets:
      MY_SECRET: ${{ secrets.MY_SECRET }}
  2. 2

    Document Required Secrets in Reusable Workflow

    Add documentation within the reusable workflow to specify which secrets need to be passed from the caller. This helps users understand what is required for the workflow to function correctly.

    yaml
    # Required Secrets:
# - MY_SECRET
  3. 3

    Test the Updated Workflow

    Run the updated workflow to ensure that the environment secrets are now correctly passed and available within the reusable workflow. Check the logs to confirm that the secret is accessible.

    bash
    echo "MY_SECRET is: $MY_SECRET"
  4. 4

    Review Security Implications

    Evaluate the security implications of passing secrets explicitly. Ensure that sensitive information is not logged or exposed in any way during the workflow execution.

    yaml
    # Ensure no secrets are printed in logs

Validation

Confirm that the workflow runs successfully and that the logs display the expected output without any errors related to missing secrets. Check that MY_SECRET is available in the context of the reusable workflow.

Sign in to verify this fix

Environment

Submitted by

AC

Alex Chen

2450 rep

Tags

github-actionsci-cdrunnerbug