如何将参数化秘密传递给可重用的GitHub操作工作流？

Question

我遇到了一个问题，我无法使我的工作流程的一部分可重用。这是它的要点

deploy_app1:
  name: Deploy App1 / Production
  uses: ./.github/workflows/_deploy.yaml
  needs: validate
  if: ${{ needs.validate.outputs.deploy_app1 != 0 }}
  with:
    vercel_org_id: ${{ secrets.VERCEL_APP1_ORG_ID }}
    vercel_project_id: ${{ secrets.VERCEL_APP1_PROJECT_ID }}
    turbo_token: ${{ secrets.TURBO_TOKEN }}
    turbo_team: ${{ secrets.TURBO_TEAM }}
deploy_app2:
  name: Deploy App2 / Production
  uses: ./.github/workflows/_deploy.yaml
  needs: validate
  if: ${{ needs.validate.outputs.deploy_app2 != 0 }}
  with:
    vercel_org_id: ${{ secrets.VERCEL_APP2_ORG_ID }}
    vercel_project_id: ${{ secrets.VERCEL_APP2_PROJECT_ID }}
    turbo_token: ${{ secrets.TURBO_TOKEN }}
    turbo_team: ${{ secrets.TURBO_TEAM }}

如您所见，组织id和项目id可能不同，而可重用工作流的实际步骤是相同的，因为它们只在输入中不同：

name: Deploy Application
on:
  workflow_call:
    input:
      vercel_org_id:
        type: string
        required: true
      vercel_project_id:
        type: string
        required: true
      turbo_token:
        type: string
        required: true
      turbo_team:
        type: string
        required: true
jobs:
  deploy:
    runs-on: ubuntu-latest
    env:
      VERCEL_ORG_ID: ${{ inputs.vercel_org_id }}
      VERCEL_PROJECT_ID: ${{ inputs.vercel_project_id }}
      TURBO_TOKEN: ${{ inputs.turbo_token }}
      TURBO_TEAM: ${{ inputs.turbo_team }}
    steps:
      - // ... do stuff ...

不幸的是，当试图在传递机密之前访问秘密时，在最上面的with子句上出现了with错误：

The workflow is not valid. .github/workflows/production.yaml (Line: 74, Col: 22): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.VERCEL_APP1_ORG_ID

我找不到解决这个问题的任何方法，因为所有处理秘密的建议都围绕着共享相同的“全局”秘密而不是参数化。

我怎么才能让这个起作用？

Answer 1

您的问题与以下事实有关：机密被认为是，这是workflow_call触发器配置中的不同类型的输入。

这是来自官方Github文档的参考资料。

因此，您的可重用工作流应该如下所示：

name: Deploy Application
on:
  workflow_call:
    secrets:
      vercel_org_id:
        required: true
      vercel_project_id:
        required: true
      turbo_token:
        required: true
      turbo_team:
        required: true
jobs:
  deploy:
    runs-on: ubuntu-latest
    env:
      VERCEL_ORG_ID: ${{ secrets.vercel_org_id }}
      VERCEL_PROJECT_ID: ${{ secrets.vercel_project_id }}
      TURBO_TOKEN: ${{ secrets.turbo_token }}
      TURBO_TEAM: ${{ secrets.turbo_team }}
    steps:
      - // ... do stuff ...

在可重用工作流中使用secrets关键字而不是inputs关键字可以解决问题。