Using Org-Wide Secrets in Shared Github Actions Workflows

This was suprisingly hard to find the answer too.

TL;DR: you cannot use org-wide secrets in a shared workflow without secrets: inherit

Take a shared workflow like this:

name: shared test workflow

on:
  workflow_call:

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: 16
      - name: NPM Auth
        run: echo '//registry.npmjs.org/:_authToken=${{ secrets.ORG_WIDE_NPM_TOKEN }}' > ~/.npmrc
      - name: NPM Install
        run: npm ci
 

Where ORG_WIDE_NPM_TOKEN is some shared Github Actions secret to which all repositories have access.

This org secret is not available in the shared workflow, you’d have to deliberately declare it in the workflow call area (and then pass it when using the workflow).

on:
  workflow_call:
    secrets:
      ORG_WIDE_NPM_TOKEN:
        required: true

Or use secrets: inherit when using the workflow:

jobs:
  test:
    uses: OctoCat/shared-workflows/.github/workflows/test.yml@main
    secrets: inherit