This was suprisingly hard to find the answer too.
TL;DR: you cannot use org-wide secrets in a shared workflow without secrets: inherit
Take a shared workflow like this:
name: shared test workflow
on:
workflow_call:
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
- name: NPM Auth
run: echo '//registry.npmjs.org/:_authToken=${{ secrets.ORG_WIDE_NPM_TOKEN }}' > ~/.npmrc
- name: NPM Install
run: npm ci
Where ORG_WIDE_NPM_TOKEN
is some shared Github Actions secret to which all repositories have access.
This org secret is not available in the shared workflow, you’d have to deliberately declare it in the workflow call area (and then pass it when using the workflow).
on:
workflow_call:
secrets:
ORG_WIDE_NPM_TOKEN:
required: true
Or use secrets: inherit
when using the workflow:
jobs:
test:
uses: OctoCat/shared-workflows/.github/workflows/test.yml@main
secrets: inherit