How to pass a parameterized secret to a reusable GitHub Action workflow?

Question

I am running into an issue wherein I cannot make a part of my workflow reusable. Here is the gist of it

deploy_app1:
  name: Deploy App1 / Production
  uses: ./.github/workflows/_deploy.yaml
  needs: validate
  if: ${{ needs.validate.outputs.deploy_app1 != 0 }}
  with:
    vercel_org_id: ${{ secrets.VERCEL_APP1_ORG_ID }}
    vercel_project_id: ${{ secrets.VERCEL_APP1_PROJECT_ID }}
    turbo_token: ${{ secrets.TURBO_TOKEN }}
    turbo_team: ${{ secrets.TURBO_TEAM }}
deploy_app2:
  name: Deploy App2 / Production
  uses: ./.github/workflows/_deploy.yaml
  needs: validate
  if: ${{ needs.validate.outputs.deploy_app2 != 0 }}
  with:
    vercel_org_id: ${{ secrets.VERCEL_APP2_ORG_ID }}
    vercel_project_id: ${{ secrets.VERCEL_APP2_PROJECT_ID }}
    turbo_token: ${{ secrets.TURBO_TOKEN }}
    turbo_team: ${{ secrets.TURBO_TEAM }}

As you can see, the org id and the project id can differ, while the actual steps of the reusable workflow are identical as they only differ in the input:

name: Deploy Application
on:
  workflow_call:
    input:
      vercel_org_id:
        type: string
        required: true
      vercel_project_id:
        type: string
        required: true
      turbo_token:
        type: string
        required: true
      turbo_team:
        type: string
        required: true
jobs:
  deploy:
    runs-on: ubuntu-latest
    env:
      VERCEL_ORG_ID: ${{ inputs.vercel_org_id }}
      VERCEL_PROJECT_ID: ${{ inputs.vercel_project_id }}
      TURBO_TOKEN: ${{ inputs.turbo_token }}
      TURBO_TEAM: ${{ inputs.turbo_team }}
    steps:
      - // ... do stuff ...

Unfortunately GitHub errors on the with clause at the very top when attempting to access the secrets before even passing them down:

The workflow is not valid. .github/workflows/production.yaml (Line: 74, Col: 22): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.VERCEL_APP1_ORG_ID

I couldn't find any way to solve this as all suggestions to handle secrets revolve around just sharing the same "global" secrets rather than parameterizing them.

How can I get this to work?

Answer 1

Your problem is related to the fact that secrets are considered as a different type of inputs in a workflow_call trigger configuration.

Here is a reference from the official Github Documentation

Therefore, your reusable workflow should instead looks like this:

name: Deploy Application
on:
  workflow_call:
    secrets:
      vercel_org_id:
        required: true
      vercel_project_id:
        required: true
      turbo_token:
        required: true
      turbo_team:
        required: true
jobs:
  deploy:
    runs-on: ubuntu-latest
    env:
      VERCEL_ORG_ID: ${{ secrets.vercel_org_id }}
      VERCEL_PROJECT_ID: ${{ secrets.vercel_project_id }}
      TURBO_TOKEN: ${{ secrets.turbo_token }}
      TURBO_TEAM: ${{ secrets.turbo_team }}
    steps:
      - // ... do stuff ...

Using the secrets keyword instead of the inputs one in your reusable workflow should resolve your problem.