Unable to access repository secrets in reusable workflows

Question

I have a scan tool that is being run manually using workflow_dispatch event. Now I want to use it automatically for all other repos. So I went with reusable workflows. But I'm getting issues there. I have referred to the github docs also but didn't find anything helpful. The issue is that I'm not able to access the repository secrets defined in the called workflow repository.

Why repository secrets are stored in the called Workflow? Well it's the scanning tool and it needs to be run both manually and also on commits. So the secrets are defined in that repository only. The secrets are required like personal access token for cloning the repo that is calling (caller workflow present) the scantool(called workflow) and various other secrets like for sending the scan report to email.

So I have added both the workflows. I just want to access the repository secrets in the called workflow.

Caller Workflow -

name: scan workflow
on: 
  push:
    branches: '**'

jobs:
  calling-scanner:
    uses: org/repo-name/.github/workflows/main.yml@main
    with:
      repo: ${{ github.event.repository.name }}
      branch: ${{ github.ref_name }}
    secrets: inherit

Called Workflow -

name: scanning-tool
on:
  workflow_call:
    inputs:
        repo:
          description: 'Repo Name'     
          required: true
          type: string
        branch:
          description: 'Branch name'     
          required: true
          type: string


jobs:
  deploy:
    runs-on: [ ubuntu-latest]
    steps:
      - name: checkout
        uses: "actions/checkout@v3"
      - name: Python Dependency Installation
        uses: "py-actions/py-dependency-install@v3.0.0"
        with:
          path: requirements.txt
      - name: setup python
        uses: "actions/setup-python@v3.1.2"
        with:
          python-version: 3.8
      - name: Cloning the Git Repo to be Scanned
        run: git clone -b "${{ inputs.branch }}" "https://github-username:${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/org/${{ inputs.repo }}.git"

Error -

remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/org/TestDemo.git/'
Error: Process completed with exit code 128.

NOTE -

I'm able to run the scan tool workflow manually with the same credentials. It isn't the credential problem as I have even created it for the second time. Still it shows me the same error. That means it is not able to access the secrets.

GuiFalourd · Accepted Answer · 2022-11-02T14:52:24.853

1

There may be two issues here:

First, even inheriting the secrets from the main workflow, you still need to configure the secrets the reusable workflow will use in the workflow_call configuration, as stated in the documentation: Using inputs and secrets in a reusable workflows.

Therefore, as you use the ${{ secrets.PERSONAL_ACCESS_TOKEN }} in the reusable workflow, your workflow_call trigger should look like this:

name: scanning-tool
on:
  workflow_call:
    inputs:
        repo:
          description: 'Repo Name'     
          required: true
          type: string
        branch:
          description: 'Branch name'     
          required: true
          type: string
    secrets:
        PERSONAL_ACCESS_TOKEN:
          required: true

Second, as stated in the documentation shared above:

Workflows that call reusable workflows in the same organization or enterprise can use the inherit keyword to implicitly pass the secrets.

Therefore, if your repository isn't part of an organization or enterprise, or if your secret isn't an ORGANIZATION secret, you'll have to pass the secret explicitly from the caller workflow:

name: scan workflow
on: 
  push:
    branches: '**'

jobs:
  calling-scanner:
    uses: org/repo-name/.github/workflows/main.yml@main
    with:
      repo: ${{ github.event.repository.name }}
      branch: ${{ github.ref_name }}
    secrets:
      PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}

edited Nov 02 '22 at 14:52

answered Nov 02 '22 at 13:41

GuiFalourd

15,523
8
44
71

No. This didn't worked. Now the error is - Secret PERSONAL_ACCESS_TOKEN is required, but not provided while calling. By the way you have suggested I have to pass the secret from the calling workflow to called worflow. What I want is, the secret is already present in called workflow, just inherit and use it. – Shivam Singh Nov 02 '22 at 13:53
Is your repository inside an organization, and the secret configured as an organization secret? – GuiFalourd Nov 02 '22 at 14:33
Yes the both repos is inside org. So PERSONAL_ACCESS_TOKEN is a repository secret. There are also other secret used in the workflow some of them are org secret. That's why I went with secrets: inherit. But it does not help. I'm failing at the first step only where personal access token is used – Shivam Singh Nov 02 '22 at 14:35
According to the [documentation](https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow), in both case you still need to configure the secret in the reusable workflow. But you could only use the `inherit` keyword in the caller workflow if the secret is set at the organization level. – GuiFalourd Nov 02 '22 at 14:39
What I understand here is that it may be that your PERSONAL_ACCESS_TOKEN secret is not an ORGANIZATION secret (I updated the answer). – GuiFalourd Nov 02 '22 at 14:43
1

Thanks. I got the point. I thought with inherit you can access both org and repository secret. But your point made it clear. Only org secrets are being accessed. – Shivam Singh Nov 02 '22 at 15:05

Unable to access repository secrets in reusable workflows

1 Answers1