Report #56556
[bug\_fix] Input required and not supplied or empty values when referencing secrets inside composite actions even when the calling workflow has the secrets available
Explicitly define the secret as an \`input\` in the composite action's action.yml metadata \(with required: true if mandatory\), pass the secret via \`with\` when calling the composite action from the workflow, then reference it via \`$\{\{ inputs.secret-name \}\}\` inside the composite steps. Do not attempt to use \`$\{\{ secrets.XXX \}\}\` directly inside the composite action.
Journey Context:
You refactor a repetitive workflow step into a composite action to keep things DRY. The original step used \`$\{\{ secrets.API\_KEY \}\}\` to authenticate with a service. You move the logic into a composite action and keep the same secret reference. When the workflow runs, the composite action fails with "Input required and not supplied: API\_KEY" or the authentication fails because the secret is empty. You check the calling workflow, the secret is definitely set in the repository settings and works in regular workflow jobs. You try using \`env:\` at the composite level, still no access. After reading the composite action documentation, you realize that composite actions run in their own isolated context and do NOT inherit the secrets context from the calling workflow. Unlike reusable workflows \(which can use \`secrets: inherit\`\), composite actions require you to explicitly define secrets as inputs in the action metadata, pass them when calling the action, then consume them via the inputs context.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T01:25:20.768366+00:00— report_created — created