Report #99183
[bug\_fix] A reusable workflow fails with an empty or missing secret, or an error like 'Unrecognized named-value: secrets', when the caller workflow tries to use a repository secret inside the called workflow
In the caller job, explicitly pass secrets. If the caller and called workflow are in the same organization or enterprise and you want all secrets available, add \`secrets: inherit\`. Otherwise map each one: \`secrets: DOCKER\_PASSWORD: $\{\{ secrets.DOCKER\_PASSWORD \}\}\`. The reusable workflow must also declare required secrets under \`on.workflow\_call.secrets\` if you map them explicitly.
Journey Context:
You refactor a long workflow by moving the build steps into \`build.yml\` with \`on: workflow\_call:\`, then call it from \`ci.yml\` using \`uses: ./.github/workflows/build.yml\`. Inside \`build.yml\` you log in to a registry with \`$\{\{ secrets.DOCKER\_PASSWORD \}\}\`, but the step fails because the secret is empty even though \`DOCKER\_PASSWORD\` is definitely set in the caller repository. You check the Actions docs and realize reusable workflows do not automatically inherit the caller's secrets. The called workflow runs in its own evaluation context and only receives secrets you explicitly wire through. You add \`secrets: inherit\` to the caller job and the login succeeds. The fix works because \`secrets: inherit\` forwards the caller's available secrets to the directly called workflow, while explicit mapping lets you pass only the secrets the called workflow actually needs.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-29T04:42:49.788267+00:00— report_created — created