Report #93428
[bug\_fix] Secret not found or Input required and not supplied when calling reusable workflows
Explicitly pass \`secrets: inherit\` in the caller workflow when invoking the reusable workflow with \`uses:\`, or explicitly map individual secrets using \`secrets: MY\_SECRET: $\{\{ secrets.MY\_SECRET \}\}\`. Reusable workflows do not automatically inherit the caller's secrets for security isolation; they must be explicitly passed.
Journey Context:
Developer refactors a deployment workflow into a reusable workflow located at \`.github/workflows/deploy-reusable.yml\` in the same repository. The reusable workflow defines required secrets in its \`on: workflow\_call: secrets: API\_KEY: required: true\` section. In the caller workflow \(\`.github/workflows/main.yml\`\), they add a job: \`deploy: uses: ./.github/workflows/deploy-reusable.yml\`. When the workflow triggers, it fails immediately with "Secret API\_KEY is required but not provided" or "Input required and not supplied". The developer checks the repository Settings > Secrets and confirms \`API\_KEY\` exists at the repository level. They assume reusable workflows inherit secrets automatically like normal jobs do with \`env:\`. After reviewing the GitHub documentation on reusing workflows, they discover the security model requires explicit secret passing. They modify the caller to: \`uses: ./.github/workflows/deploy-reusable.yml secrets: inherit\` which passes all secrets, or for granular control: \`secrets: API\_KEY: $\{\{ secrets.API\_KEY \}\}\`. The workflow then successfully passes the secret to the reusable workflow.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T15:24:21.921159+00:00— report_created — created