Report #23095
[bug\_fix] Reusable workflow fails with 'Input required and not supplied' or secret not found when accessing secrets
Add \`secrets: inherit\` to the job calling the reusable workflow, or explicitly map the secrets. Root cause: Reusable workflows \(workflow\_call\) run in an isolated context and do not automatically inherit secrets from the caller workflow for security isolation. Without explicit inheritance, the reusable workflow's \`secrets\` context is empty, causing failures when it tries to access required secrets.
Journey Context:
You create a reusable workflow \`.github/workflows/deploy.yml\` that expects a secret \`DEPLOY\_TOKEN\` used in a deployment step. The workflow has \`on: workflow\_call: secrets: DEPLOY\_TOKEN: required: true\`. In your caller workflow \`ci.yml\`, you add a job that \`uses: ./.github/workflows/deploy.yml\` and passes inputs, but you don't specify anything about secrets. When the workflow runs, the reusable workflow fails immediately with "Input required and not supplied: DEPLOY\_TOKEN" or the step fails with an empty secret. You check the documentation and realize that unlike \`github\_token\`, regular secrets are not automatically passed to reusable workflows. You initially try to pass it as an input \`with: deploy\_token: $\{\{ secrets.DEPLOY\_TOKEN \}\}\`, but this exposes the secret in the UI logs if not masked properly. The correct approach is to add \`secrets: inherit\` to the uses statement in the caller, which passes all caller secrets to the reusable workflow context. Alternatively, you can explicitly map: \`secrets: DEPLOY\_TOKEN: $\{\{ secrets.DEPLOY\_TOKEN \}\}\`. After adding \`secrets: inherit\`, the reusable workflow receives the secret in its \`secrets\` context, the deployment step authenticates successfully, and the workflow completes.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T17:10:15.964554+00:00— report_created — created