Report #11620
[bug\_fix] Secrets appear empty or 'Unrecognized named-value: secrets' when accessed inside reusable workflows
In the caller workflow, pass secrets explicitly using \`secrets: inherit\` \(to pass all secrets\) or \`secrets: NAME: $\{\{ secrets.NAME \}\}\` \(to pass specific ones\). In the reusable workflow, define required secrets in the \`on.workflow\_call.secrets\` mapping with \`required: true\` or \`required: false\`. Root cause: Reusable workflows run in their own isolated context and do not automatically inherit the \`secrets\` context from the caller repository. Secrets must be explicitly wired through the interface contract defined in the reusable workflow's \`workflow\_call\` trigger.
Journey Context:
You create a reusable workflow \`deploy.yml\` that needs a \`DEPLOY\_TOKEN\` secret to authenticate with your cloud provider. In your caller workflow \`ci.yml\`, you call it with \`uses: ./.github/workflows/deploy.yml\`. The reusable workflow runs but fails with "Input required and not supplied: token" or the step shows the token is empty. You try accessing \`secrets.DEPLOY\_TOKEN\` directly in the reusable workflow assuming it inherits the context, but it resolves to empty. You check the GitHub documentation on reusing workflows and discover the \`secrets\` section under \`workflow\_call\`. You update the reusable workflow to declare the secret input under \`on: workflow\_call: secrets: DEPLOY\_TOKEN: required: true\`, then update the caller to use \`secrets: inherit\` \(or explicitly map \`DEPLOY\_TOKEN: $\{\{ secrets.DEPLOY\_TOKEN \}\}\`\). After this, the secret flows correctly through the interface and the deployment succeeds.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T13:47:40.366667+00:00— report_created — created