Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

GitHub Actions Passing Secret as Input for reusable workflow

Tags:

github-actions

github-secret

I have a reusable workflow for building and pushing a docker image to ECR.

One of the inputs of the workflow is for specifying arguments for the docker build command. This is the command in the reusable workflow:

docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ${{ inputs.DOCKER_BUILD_ARGS }} .

In some cases, I need DOCKER_BUILD_ARGS to contain secrets, for example:

    secrets:
      AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    uses: XXXXX/.github/workflows/DockerBuildPushECR.yml@main
    with:
      ECR_REGISTRY: XXXXXX
      ECR_REPOSITORY: XXXXX
      DOCKER_BUILD_ARGS: "--build-arg PASSWORD=${{ secrets.PASSWORD }}"

GitHub complains that the workflow is not valid: "Unrecognized named-value: 'secrets'", because it only expects secrets in the secrets section.

I cannot pass it as a secret because the reusable workflow does not expect this secret, I just want it to be part of the string...

Can't use env because it cannot be used in conjunction with a reusable workflow

How can I make this scenario work?

like image 633
Mickey Cohen Avatar asked Apr 10 '26 15:04

Mickey Cohen

1 Answers

What I ended up doing is adding 2 optional secrets to the reusable workflow added them as build args in the docker build commnd. This way, if they are passed - they are secrets, and if they are not - they are simply blank and this does not affect anything. It solved my scenario.

So, the secrets section looked like this:

    secrets:
      AWS_ACCESS_KEY:
        required: true
      AWS_SECRET_ACCESS_KEY:
        required: true
      USERNAME:
        required: false
      PASSWORD: 
        required: false

and the build like this:

    - name: Build and tag image
      run: docker build -f ${{ inputs.DOCKERFILE }} -t ${{ inputs.ECR_REGISTRY }}/${{ inputs.ECR_REPOSITORY }}:${{ inputs.IMAGE_TAG }} --build-arg USERNAME=${{ secrets.USERNAME }} --build-arg PASSWORD=${{ secrets.PASSWORD }} ${{ inputs.DOCKER_BUILD_ARGS }} ${{ inputs.DOCKER_BUILD_CONTEXT }}

Of course, the Dockerfile needs to have corresponding arguments. This allowed me to pass up to 2 secrets "dynamically"

like image 100
Mickey Cohen Avatar answered Apr 21 '26 10:04

Mickey Cohen
Sign in to Comment

Related questions

Github actions workflow doesn’t run on pull request when pull request is created by another workflow action and have conflict
Use of artifacts in azure github action for nodejs
Edit a README.md File in Google Colab
How to rerun a GitHub Action workflow from the command line and have the status check of the relevant pull request consequently be updated
Github actions docker-compose with buildx error (list index out of range)
error parsing called workflow in github . workflow was not found
How would I setup github actions for a flutter project in a subdirectory
jest.config.ts: "registerer.enabled is not a function" error when running jest from Github Actions
GitHub Actions completes job as success even it receives non-zero exit code
Is there a way to hide branches on Github?
Is there a way to disable GitHub-hosted runners in GitHub Actions?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!