I have a number of GitHub actions that interact with Azure using the az command line, so I figured I'd try to write a reusable workflow to log into Azure. I have been following this guide: https://docs.github.com/en/actions/using-workflows/reusing-workflows
When I run my caller workflow, I get this error:
Error: .../log-into-azure/action.yml (Line: 21, Col: 14): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.DEV_APPLICATION_ID
My caller workflow contains this:
- name: Azure login with elevated permissions
uses: ./.github/actions/log-into-azure
with:
secrets: inherit
My reusable workflow looks like this:
name: Log into Azure
description: 'Log into Azure.'
on:
workflow_call:
secrets:
DEV_APPLICATION_ID:
required: true
DEV_SERVICE_PRINCIPAL_SECRET:
required: true
TENANT_ID:
required: true
jobs:
azure-login:
runs-on: [self-hosted, ubuntu-latest]
steps:
- name: Azure login with elevated permissions
shell: pwsh
run: |
az login --service-principal -u "${{ secrets.DEV_APPLICATION_ID }}" -p "${{ secrets.DEV_SERVICE_PRINCIPAL_SECRET }}" --tenant "${{ secrets.TENANT_ID }}"
I have also tried to list the secrets explicitly in the caller workflow (instead of using secrets: inherit) like this:
- name: Azure login with elevated permissions
uses: ./.github/actions/log-into-azure
with:
secrets:
DEV_APPLICATION_ID: ${{ secrets.DEV_APPLICATION_ID }}
DEV_SERVICE_PRINCIPAL_SECRET: ${{ secrets.DEV_SERVICE_PRINCIPAL_SECRET }}
TENANT_ID: ${{ secrets.TENANT_ID }}
... but that gave the following error message:
The workflow is not valid. .github/workflows/deploy.yml (Line: 60, Col: 11): A mapping was not expected
EDIT 1
I have also tried to put secrets on the same indentation level as uses in my caller workflow, like this (lines 63-65):
- name: Azure login with elevated permissions
uses: ./.github/actions/log-into-azure
secrets: inherit
That also fails:
Invalid workflow file: .github/workflows/deploy.yml#L65 The workflow is not valid. .github/workflows/deploy.yml (Line: 65, Col: 7): Unexpected value 'secrets'
Likewise if I do this:
- name: Azure login with elevated permissions
uses: ./.github/actions/log-into-azure
secrets:
DEV_APPLICATION_ID: ${{ secrets.DEV_APPLICATION_ID }}
DEV_SERVICE_PRINCIPAL_SECRET: ${{ secrets.DEV_SERVICE_PRINCIPAL_SECRET }}
TENANT_ID: ${{ secrets.TENANT_ID }}
I get the exact same error message.
EDIT 2
Here is a minimal working example of my whole caller workflow:
name: Deploy to persistent environment
on:
workflow_dispatch:
jobs:
deploy-kms-to-persistent-environment:
name: 'Deploy KMS to ${{ github.event.inputs.deployment_target}} from Git commit: ${{ github.sha }}'
runs-on: [self-hosted, 3shape-ubuntu-latest]
steps:
- name: Azure login with elevated permissions
uses: ./.github/actions/log-into-azure
secrets: inherit
Checking the official documentation, your problem occurs due to the indentation in the workflow calling the reusable workflow.
You are informing secrets that way:
uses: ...
with:
secrets:
And it should be using secrets at the same level as with:
uses: ...
with:
secrets:
Using your example, both options should look like this:
- uses: ./.github/actions/log-into-azure
secrets: inherit
and
- uses: ./.github/actions/log-into-azure
secrets:
DEV_APPLICATION_ID: ${{ secrets.DEV_APPLICATION_ID }}
DEV_SERVICE_PRINCIPAL_SECRET: ${{ secrets.DEV_SERVICE_PRINCIPAL_SECRET }}
TENANT_ID: ${{ secrets.TENANT_ID }}
Note: In both case, with should be use for inputs, and not for secrets.
Example:
uses: ...
with:
input1: value1
secrets:
secret1: ${{ secrets.SECRET1 }}
Moreover, note that you don't specify the runner and steps when calling a reusable workflows. You just specify the reusable workflow path with the uses field (with the ref), as you already configured the runner and the steps IN the reusable workflow.
In your case, it seems you're calling an action in the workflow, not a reusable workflow.
Example (compare to your workflow in the EDIT 2):
name: Deploy to persistent environment
on:
workflow_dispatch:
jobs:
job1:
uses: owner/repo/.github/workflows/log-into-azure.yml@main #you need the ref here
secrets: inherit