Report #76531
[bug\_fix] Input required and not supplied: token \(or similar secret\) when calling a reusable workflow
Explicitly pass secrets to the reusable workflow using the \`secrets: inherit\` keyword to pass all secrets, or map specific secrets using \`secrets: MY\_SECRET: $\{\{ secrets.MY\_SECRET \}\}\`. The fix works because reusable workflows run in an isolated context and do not have automatic access to the caller's secrets to prevent accidental leakage across organizational boundaries; secrets must be explicitly inherited or mapped at the call site.
Journey Context:
A platform team creates a centralized reusable workflow in \`.github/workflows/security-scan.yml\` that orchestrates Snyk scanning and requires a \`SNYK\_TOKEN\` secret. A development team attempts to consume it in their repository's workflow with \`uses: myorg/shared-workflows/.github/workflows/security-scan.yml@main\`. The job fails immediately upon invocation with 'Input required and not supplied: snyk-token'. The developer checks their repository's Settings > Secrets and variables > Actions, confirming that \`SNYK\_TOKEN\` is set at the organization level and available to the repository. They try adding an \`env\` block to the job, but the error persists because the failure occurs during the workflow initialization phase before env is processed. After consulting the GitHub documentation on reusing workflows, they discover that secrets are not implicitly passed to reusable workflows. They modify the call site to include \`secrets: inherit\`, which immediately resolves the failure by explicitly granting the child workflow access to the parent's secret store.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-21T11:02:59.855287+00:00— report_created — created