actions
token workflow fails when nested in calling workflow
We have a handful of private app repos running similar workflows using this action to allow both git and gh cli to consume private assets and python app dependencies. We normally use the basic github token except for these ^^ shared assets. The token action works fine in a stand-alone workflow but when I include it in a calling workflow, the private key is no longer visible and the nested workflow fails.
Otherwise this construct works in both public and private repo contexts:
build_rpms:
name: Build rpms
permissions:
contents: write
uses: ./.github/workflows/rpmrel.yml
I tried adjusting the workflow permissions but I could not find the right combination to make things work, if it's even supposed to work. The only workaround I found was not using the above construct and just copy all the jobs into a single workflow file.
We mainly use the app token for just a few specific job steps, in this case one for gh cli:
- name: Get GH token
id: app_token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ vars.WORKFLOW_APP_ID }}
private-key: ${{ secrets.WORKFLOW_KEY }}
owner: ${{ github.repository_owner }}
- name: Download private release assets
run: |
gh release download --pattern '*.noarch.rpm' -R org/private-repo
gh release download --pattern '*.noarch.rpm' -R org/another-repo
gh release download --pattern '*.noarch.rpm' -R org/other-repo
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
and one for python packages using git urls:
- name: Get GH token
id: app_token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ vars.WORKFLOW_APP_ID }}
private-key: ${{ secrets.WORKFLOW_KEY }}
owner: ${{ github.repository_owner }}
- name: Setup token for Python installation
run: git config --global url."https://oauth2:${GH_TOKEN}@github.com".insteadOf ssh://[email protected]
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
Is this still an issue ? you cannot use vars or secrets context in called workflows. this is by design. To pass vars to the called workflow, you need to use with and specify it as input argutment. If you want to use the secrets, you could either use secrets: inherit or pass the secrets along after the with attribute like this:
build_rpms:
name: Build rpms
permissions:
contents: write
uses: ./.github/workflows/rpmrel.yml
with:
workflow-app-id: ${{ vars.WORKFLOW_APP_ID }}
secrets:
WORKFLOW_KEY: ${{ secrets.WORKFLOW_KEY }}
then your step becomes:
- name: Get GH token
id: app_token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ inputs.workflow-app-id }}
private-key: ${{ secrets.WORKFLOW_KEY }}
owner: ${{ github.repository_owner }}
Ref: https://docs.github.com/en/enterprise-cloud@latest/actions/how-tos/reuse-automations/reuse-workflows#passing-inputs-and-secrets-to-a-reusable-workflow