How to access secrets in Javascript GitHub actions?

Question

I am developing a reusable workflow using Javascript actions by following this tutorial. My action.yml looks like this.

name: "Test"
description: "Reusable workflow"
inputs:
  input-one:
    required: false
    type: string

runs:
  using: 'node16'
  main: 'dist/index.js'

But my question is how to access the secrets in dist/index.js?. Please note that I don't want the user to supply the secret as input, I would like to store the secret in my reusable workflow repository and use it whenever it's needed.

I tried to change the action.yml with env(So that I can use node process.env API to get the secret) but it's failing with an error saying that Unexpected value 'env'.

name: "Test"
description: "Reusable workflow"
inputs:
  input-one:
    required: false
    type: string

runs:
  using: 'node16'
  main: 'dist/index.js'
  env: 
    DUMMY_VAL: ${{ secrets.MY_REPOSITORY_SECRET }}

Answer 1

I don't think that's possible. That would be somewhat a security vulnerability.

Examples clearly show that secrets have to be explicitly passed https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow

You can experiment with default value for it but looks like it's not supported for workflows. https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets

It would look like this (probably won't work):

on:
  workflow_call:
    secrets:
      access-token:
        description: 'Your secret'
        required: false
        default: ${{ secrets.your-secret }}

If it doesn't work you can try suggesting it as a feature here: https://github.com/orgs/community/discussions/categories/actions-and-packages