Inherit secret and pass specific secret to reusable workflow

[nvincent-vossloh]

Hi all,

I have a reusable workflow (hosted in an internal repository in my org, with other reusables and composites actions) which takes a secret as input in order to download the repository from the caller's workflow. Please note that this secret is not GITHUB_TOKEN but a token from a github app in order to be able to download other repositories later.

Now, in my reusable workflow, I wish to download the repository hosting the reusable in order to call one of the composite at the reference at which the reusable was called. However the secret passed initially is not sufficient because it was made for the caller. So I made another github app which can access the content of my repository containing my reusables and composites, this github app is installed on every repository and the secret key and app id are stored at the org level.
My reusable workflow reference that secret from the organization's secret and not from one of the secret input of the reusable workflow.

What I now struggle with, is that I wish the reusable workflow to inherit the secret by setting secret: inherit in the caller, and specify the secret input needed to download the caller's repository.

Here is a simplified version of the various pieces:
reusable.yml

name: Reusable workflow                                                                                                                                           
                                                                                                                          
on:                                                                                                                          
  workflow_call:                                                                                                                          
    secrets:                                                                                                                          
      access-token:                                                                                                                          
        description: >                                                                                                                          
          Token to download the caller's repository                                                                                                                          
        required: true                                                                                                                          
                                                                                                                          
jobs:                                                                                                                          
  job1:                                                                                                                                          
    runs-on: ubuntu-latest                                                                                                                                          
    steps:                                                                                                                          
      # Checkout the caller repository                                                                                                                          
      - name: Checking out the repository                                                                                                                          
        uses: actions/checkout@v4                                                                                                                          
                                                                                                                          
      - name: Get token to dl the repository hosting reusable and composites actions                                                                                                                          
        id: app-token                                                                                                                                   
        uses: actions/create-github-app-token@v1                                                                                                                                   
        with:                                                                                                                                   
          app-id: ${{ vars.ORG_ACTIONS_WORKFLOW_APP_ID }}                                                                                                                                          
          private-key: ${{ secrets.ORG_ACTIONS_WORKFLOW_APP_PRIVATE_KEY }}                                                                                                                                          
          owner: ${{ github.repository_owner }}                                                                                                                                   
                                                                                                                          
      - name: Checkout Vossloh Actions repository                                                                                                                          
        uses: actions/checkout@v4                                                                                                                          
        with:                                                                                                                          
          repository: 'org/my-actions'                                                                                                                                                
          ref: '${{ github.action_ref }}'                                                                                                                          
          path: 'my-actions'                                                                                                                                  
                                                                                                                          
      - name: Call composite action to build and push docker image                                                                                                                          
        uses: ./my-actions/docker/build-push                                                                                                                                        
        with:                                                                                                                          
          access-token: ${{ secrets.access-token }}                                                                                                                          
          image-name: ${{ inputs.image-name }}                                                                                                                          
          metadata-tags: ${{ inputs.metadata-tags }}

caller.yml:

name: use reusable workflow

on:
  push:
    branches:
      - nvi/test-composite-actions

# Limit permissions of the GITHUB_TOKEN
permissions:
  contents: read  # needed to fetch source
  packages: write   # neeed to push image to ghcr.io
jobs:
  call-build-docker-devenv:
    uses: org/my-actions/.github/workflows/reusable@<ref>
    secrets:
      access-token: ${{ secrets.CALLER_REPO_TOKEN }}

In the caller workflow I cannot inherit (ORG_ACTIONS_WORKFLOW_APP_PRIVATE_KEY and specify secrets (access-token)