Report #54955
[bug\_fix] Reusable workflow receives empty secrets
Add \`secrets: inherit\` to the \`uses\` call in the caller workflow, or explicitly map secrets like \`secrets: API\_KEY: $\{\{ secrets.API\_KEY \}\}\`. Root cause: Reusable workflows \(\`workflow\_call\`\) run in their own isolated context and do not automatically receive the calling workflow's secrets; explicit passing is required for security boundary enforcement and explicit dependency tracking.
Journey Context:
A developer refactors a deployment workflow into a reusable workflow located at \`.github/workflows/deploy.yml\` with a \`workflow\_call\` trigger defining \`secrets: API\_KEY: \{ required: true \}\`. In the caller workflow \(\`.github/workflows/caller.yml\`\), they use \`uses: ./.github/workflows/deploy.yml\` and pass inputs, assuming secrets are globally available. However, when the reusable workflow runs, the \`API\_KEY\` secret is empty or null, causing authentication failures with '401 Unauthorized' or 'secret not found' errors. The developer checks the reusable workflow inputs and sees \`secrets: API\_KEY: \{ required: true \}\` is defined. They assume inheritance works like environment variables. Searching GitHub Docs, they find the 'Reusing workflows' page stating that reusable workflows must explicitly receive secrets. The debugging reveals that without an explicit bridge, the reusable workflow runs in its own namespace without access to the caller's secrets. The fix is adding \`secrets: inherit\` to the \`uses\` step in the caller, or explicitly mapping \`secrets: API\_KEY: $\{\{ secrets.API\_KEY \}\}\`, immediately resolving the authentication failure.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T22:44:12.851466+00:00— report_created — created