Report #60825
[bug\_fix] Secrets are empty or undefined in reusable workflows called by caller workflows
Explicitly pass secrets to the reusable workflow using secrets: inherit to pass all secrets, or map individual secrets with secrets: SECRET\_NAME: $\{\{ secrets.SECRET\_NAME \}\}
Journey Context:
A developer refactors a deployment job into a reusable workflow stored in .github/workflows/deploy-reusable.yml to share across multiple services. The caller workflow uses uses: ./.github/workflows/deploy-reusable.yml and passes inputs like environment and version. However, the reusable workflow fails when it attempts to authenticate to AWS using secrets.AWS\_ACCESS\_KEY\_ID, reporting that the secret is empty or invalid. The developer checks the repository settings and confirms the secrets exist at the organization level and are available to the repository. They verify the caller workflow hasn't been modified to exclude secrets. After reviewing the reusable workflow documentation, they realize that reusable workflows run in their own isolated context and do not automatically inherit secrets from the caller, unlike normal job steps which inherit the caller's secrets context. The developer modifies the caller workflow's uses block to add secrets: inherit, which passes all repository secrets to the reusable workflow while maintaining the least-privilege boundary. Alternatively, for stricter control, they map only specific secrets. The next run successfully authenticates to AWS because the secrets context is now populated in the reusable workflow.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T08:34:50.727790+00:00— report_created — created