Recently, I played around with GitHub Actions and the authentication towards Azure, as you can read in this blog post.  I encountered some issues with using environment secrets, that I would like to share with you.  Let’s have a look!

The problem

I have a reusable workflow template, that needs to access my environment secrets to login to Azure.  I used the following syntax:

 jobs: 
    deploy-infra:
       runs-on: windows-latest
       environment: prd
       steps:
          - name: Log into Azure
            uses: azure/login@v1
            with:
               client-id: ${{ secrets.AZURE_CLIENT_ID }}
               tenant-id: ${{ secrets.AZURE_TENANT_ID }}
               subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

However, this gave me an exception that I could not log in, even after I triple-checked the correctness of the environment secrets.

The solution

I started digging into the documentation and soon I realized that the issue was related to the fact that I wanted to access secrets from within a reusable workflow.  Secrets need to be passed from within the parent workflow.

There are two ways to solve this:

1. Explicitly add secrets to the reusable workflow – similar to inputs – and pass each of them individually from the parent workflow.

This approach works, but it requires some additional input that I would like to avoid, if possible.

2. Automatically inherit all secrets from the parent workflow into the reusable workflow

Thanks to this feature, we are able to make all secrets of the parent workflow available in the child workflow.  All you have to do, is updating the parent workflow with the secrets: inherit statement.:

my-job:
   name: My Job
   uses: ./.github/workflows/my-reusable-template.yml
   with:
      INPUT_1: input1
      INPUT_2: input2
   secrets: inherit

Conclusion

A nice feature that simplifies the way you can deal with secrets in reusable workflows.  I hope this can save you some (troubleshooting) time!

Cheers!
Toon