GitHub Actions Secret Inheritance

Reusable workflows are a common pattern in GitHub Actions. If your workflows have a secret dependency, secrets defined in the shared workflow repository aren’t accessible to caller workflows — each caller must have its own access to the secret.

My solution was creating an organization-level secret, giving caller repositories access to it, and adding secrets: inherit to the workflows.

My setup had a nested workflow architecture — an orchestrator workflow calling 3 separate task workflows in the same repository. For secret inheritance to work, the secrets needed to propagate from the caller all the way down to the task workflows.

# Caller → Orchestrator
# caller.yml
jobs:
  call-orchestrator:
    uses: org/repo/.github/workflows/orchestrator.yml@main
    secrets: inherit

# Orchestrator -> Task(s)
# orchestrator.yml
jobs:
  call-task-1:
    uses: org/repo/.github/workflows/task-1.yml@main
    secrets: inherit
  call-task-2:
    uses: org/repo/.github/workflows/task-2.yml@main
    secrets: inherit
  call-task-3:
    uses: org/repo/.github/workflows/task-3.yml@main
    secrets: inherit