'How to use reusable GitHub workflows and keep secrets in a single place?

While reusable GitHub workflows do help with maintenance of GitHub Actions in general, reducing a lot of copy/paste from one repository to another, they still seem to have one big issue: dealing with secrets.

When implementing an action like "post to Slack", or "post to matrix/IRC", you will need some secrets for the bot account, and if you want to reuse this action in 50 repositories you can imagine while managing secrets in each repository does not scale.

I am looking for a solution to this problem that does not involve deploying secrets to all repositories using an action, some way to centralize them.

Keep in mind that reusable workflows work across organizations and I already have some of them shared across 4+ organizations. So configuring organization level secrets is not a solution either, also for other reasons: they can easily be exposed because they are available to any workflow (as opposed to environment based ones).

github-actions


Solution 1:[1]

Check if the new (May 2022) keyword secrets: inherit can help:

GitHub Actions: Simplify using secrets with reusable workflows

GitHub Actions simplifies using secrets with reusable workflows with the secrets: inherit keyword.

Previously when passing secrets to a reusable workflow, you had to pass each secret as a separate argument.

Now you can simply pass the secrets: inherit to the reusable workflow and the secrets will be inherited from the calling workflow.

Learn more about reusable workflows in GitHub Actions.

In the reusable workflow, reference the input or secret that you defined in the on key in the previous step.

If the secrets are inherited using secrets: inherit, you can reference them even if they are not defined in the on key.

jobs:
 reusable_workflow_job:
   runs-on: ubuntu-latest
   environment: production
   steps:
     - uses: ./.github/workflows/my-action
       with:
         username: ${{ inputs.username }}
         token: ${{ secrets.envPAT }}

In the example above, envPAT is an environment secret that's been added to the production environment. This environment is therefore referenced within the job.

Note: Environment secrets are encrypted strings that are stored in an environment that you've defined for a repository.
Environment secrets are only available to workflow jobs that reference the appropriate environment.
For more information, see "Using environments for deployment."

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 VonC

Related Questions

npm ci can only install packages with an existing package-lock.json or npm-shrinkwrap.json with lockfileVersion >= 1

How to execute MSI file on Github Actions (windows-latest runner)

How to set environment variables in GitHub actions using python

Deploy individual services from a monorepo using github actions

How to run GitHub Actions workflows locally?

How to implement semantic versioning in GitHub Actions workflow?

Dynamic Github Actions Steps

commitlint not able to make scope optional

how to run GitHub Action after outage?

Repository Name as a GitHub Action environment variable?

Angular test fails to run with ChromeHeadlessCI in Github Action

Github cli in Action not running workflow

GitHub Actions Failed to Deploy changes to Heroku

Github Actions - No Such File or Directory on Any Run Step

GitHub actions: default branch variable