3

I have a number of GitHub actions that interact with Azure using the az command line, so I figured I'd try to write a reusable workflow to log into Azure. I have been following this guide: https://docs.github.com/en/actions/using-workflows/reusing-workflows

When I run my caller workflow, I get this error:

Error: .../log-into-azure/action.yml (Line: 21, Col: 14): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.DEV_APPLICATION_ID

My caller workflow contains this:

    - name: Azure login with elevated permissions
      uses: ./.github/actions/log-into-azure
      with:
        secrets: inherit

My reusable workflow looks like this:

name: Log into Azure
description: 'Log into Azure.'

on:
  workflow_call:
    secrets:
      DEV_APPLICATION_ID:
        required: true
      DEV_SERVICE_PRINCIPAL_SECRET:
        required: true
      TENANT_ID:
        required: true

jobs:
  azure-login:
    runs-on: [self-hosted, ubuntu-latest]
    steps:

      - name: Azure login with elevated permissions
        shell: pwsh
        run: |
          az login --service-principal -u "${{ secrets.DEV_APPLICATION_ID }}" -p "${{ secrets.DEV_SERVICE_PRINCIPAL_SECRET }}" --tenant "${{ secrets.TENANT_ID }}"

I have also tried to list the secrets explicitly in the caller workflow (instead of using secrets: inherit) like this:

    - name: Azure login with elevated permissions
      uses: ./.github/actions/log-into-azure
      with:
        secrets:
          DEV_APPLICATION_ID: ${{ secrets.DEV_APPLICATION_ID }}
          DEV_SERVICE_PRINCIPAL_SECRET: ${{ secrets.DEV_SERVICE_PRINCIPAL_SECRET }}
          TENANT_ID: ${{ secrets.TENANT_ID }}

... but that gave the following error message:

The workflow is not valid. .github/workflows/deploy.yml (Line: 60, Col: 11): A mapping was not expected

EDIT 1

I have also tried to put secrets on the same indentation level as uses in my caller workflow, like this (lines 63-65):

    - name: Azure login with elevated permissions
      uses: ./.github/actions/log-into-azure
      secrets: inherit

That also fails:

Invalid workflow file: .github/workflows/deploy.yml#L65 The workflow is not valid. .github/workflows/deploy.yml (Line: 65, Col: 7): Unexpected value 'secrets'

Likewise if I do this:

    - name: Azure login with elevated permissions
      uses: ./.github/actions/log-into-azure
      secrets:
        DEV_APPLICATION_ID: ${{ secrets.DEV_APPLICATION_ID }}
        DEV_SERVICE_PRINCIPAL_SECRET: ${{ secrets.DEV_SERVICE_PRINCIPAL_SECRET }}
        TENANT_ID: ${{ secrets.TENANT_ID }}

I get the exact same error message.

EDIT 2

Here is a minimal working example of my whole caller workflow:

name: Deploy to persistent environment

on:
  workflow_dispatch:

jobs:
  deploy-kms-to-persistent-environment:
    name: 'Deploy KMS to ${{ github.event.inputs.deployment_target}} from Git commit: ${{ github.sha }}'
    runs-on: [self-hosted, 3shape-ubuntu-latest]

    steps:

    - name: Azure login with elevated permissions
      uses: ./.github/actions/log-into-azure
      secrets: inherit
Claus Appel
  • 1,015
  • 10
  • 28

1 Answers1

3

Checking the official documentation, your problem occurs due to the indentation in the workflow calling the reusable workflow.

You are informing secrets that way:

      uses: ...
      with:
        secrets:

And it should be using secrets at the same level as with:

      uses: ...
      with:
      secrets:

Using your example, both options should look like this:

    - uses: ./.github/actions/log-into-azure
      secrets: inherit

and

    - uses: ./.github/actions/log-into-azure
      secrets:
          DEV_APPLICATION_ID: ${{ secrets.DEV_APPLICATION_ID }}
          DEV_SERVICE_PRINCIPAL_SECRET: ${{ secrets.DEV_SERVICE_PRINCIPAL_SECRET }}
          TENANT_ID: ${{ secrets.TENANT_ID }}

Note: In both case, with should be use for inputs, and not for secrets.

Example:

    uses: ...
    with:
      input1: value1
    secrets:
      secret1: ${{ secrets.SECRET1 }}

Moreover, note that you don't specify the runner and steps when calling a reusable workflows. You just specify the reusable workflow path with the uses field (with the ref), as you already configured the runner and the steps IN the reusable workflow.

In your case, it seems you're calling an action in the workflow, not a reusable workflow.

Example (compare to your workflow in the EDIT 2):

name: Deploy to persistent environment

on:
  workflow_dispatch:

jobs:
  job1:
    uses: owner/repo/.github/workflows/log-into-azure.yml@main #you need the ref here
    secrets: inherit
GuiFalourd
  • 15,523
  • 8
  • 44
  • 71
  • Thanks. But I tried that. That gives a syntax error. I have updated my OP with the code I used and the error message I get. – Claus Appel Sep 14 '22 at 10:03
  • Are you calling the reusable workflow in a job step? (could you also share the whole workflow calling the reusable in your question to try reproducing the error?) – GuiFalourd Sep 14 '22 at 10:09
  • Minimal failing example added to OP. – Claus Appel Sep 14 '22 at 10:15
  • Here is the problem: You don't specify the runner and steps when calling a reusable workflows. You just specify the reusable workflow path with the `uses` field, as you already configured the runner and the steps IN the reusable workflow. [Example](https://docs.github.com/en/enterprise-cloud@latest/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow) – GuiFalourd Sep 14 '22 at 11:05
  • Besides, looking at your example, it seems you're calling a local `action` in the workflow, not a `reusable workflow`, the syntax isn't the same. – GuiFalourd Sep 14 '22 at 11:17
  • Ohhhhh, `uses` needs to be at job level and not at step level! That makes sense. All right. Thanks. – Claus Appel Sep 14 '22 at 11:43