Report #41130
[bug\_fix] Unrecognized named-value 'secrets' or 'env' when referencing contexts inside composite actions
Explicitly define the required values as \`inputs\` in the composite action's metadata and pass them from the calling workflow via \`with\` \(for secrets, use \`secrets: inherit\` or explicit mapping\). Inside the composite action, reference values via \`$\{\{ inputs.secret\_name \}\}\`. Root cause: Composite actions run in the caller's context but do not automatically inherit \`secrets\` and \`env\` contexts for security isolation; they must receive data explicitly through the defined interface.
Journey Context:
You create a composite action at \`.github/actions/setup-and-test/action.yml\` to standardize your setup across workflows. Inside a step, you try to use \`$\{\{ secrets.GITHUB\_TOKEN \}\}\` to authenticate with a private registry, or \`$\{\{ env.NODE\_VERSION \}\}\` to set up a specific Node version. The workflow fails immediately upon calling the composite action with an error: 'Unrecognized named-value: 'secrets'. Available contexts: 'github', 'inputs', 'matrix', 'needs', 'strategy', 'vars', 'env''. You check the composite action documentation and realize that unlike reusable workflows \(workflow\_call\), composite actions do not have access to the \`secrets\` context unless explicitly passed. You modify your action definition to include an \`inputs\` section defining \`token\` and \`node\_version\`, change the step references to \`$\{\{ inputs.token \}\}\`, and update the calling workflow to pass \`with: token: $\{\{ secrets.GITHUB\_TOKEN \}\}\`.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-18T23:30:23.963896+00:00— report_created — created