Let's say you have a reusable workflow, where a workflow in one of you repositories (the caller workflow) will use a workflow in one of your other repositories (the called workflow, also known as the reusable workflow). Check out my article Sharing Jobs using workflow_call and a private repository (reusable code).

This also assumes you are familiar with Output. If not, check out my article GitHub Actions - Getting Started with Output.

You can

• Pass output between jobs
• Pass JSON output between jobs
• Pass input between workflows
• Pass secrets between workflows (this article)

Let's say you are using appleboy/scp-action@master to SCP one or more files in one of your GitHub repositories to one or more target servers using a private key to authenticate to the target servers.

In this example, your at your repository > Settings > Secrets and variables > Actions, you would have a secret that contains the contents of the users SSH private key file on the target server, such as $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed2551

And then you would use key: ${{ secrets.PRIVATE_KEY }}"

Notice in this example that this is a reusable workflow, as can be seen by the fact that it has on: workflow_call.

name: Reusable Workflow
run-name: ${{ github.workflow }} run by ${{ github.actor }}
on:
  workflow_call:
  workflow_dispatch:
jobs:
  github-action-job:
    runs-on: ubuntu-latest
    steps:      
      - name: Checking out the repository code . . .
        uses: actions/checkout@v4
      
      - name: copy foo.jpg to /tmp/foo.jpg on EC2 instance ec2-10-11-12-13.compute-1.amazonaws.com
        uses: appleboy/scp-action@master
        with:
          host: ${{ secrets.HOST }}
          username: ${{ secrets.USERNAME }}
          key: ${{ secrets.PRIVATE_KEY }}
          port: ${{ secrets.PORT }}
          source: "foo.jpg"
          target: "/tmp" 

And let's say you have a caller workflow that calls the reusable workflow, perhaps something like this.

name: Caller Workflow
run-name: ${{ github.workflow }} run by ${{ github.actor }}
on:
  workflow_dispatch:
jobs:  
  demo:
    uses: JohnDoe/Actions/.github/workflows/main.yml@main

In this scenario the job output will probably return something like this.

Error: can't connect without a private SSH key or password

This occurs because the secret that contains the SSH private key was not passed from the caller workflow to the reusable workflow. The fix is easy. We simply just need to add secrets: inherit to the caller workflow.

name: Caller Workflow
run-name: ${{ github.workflow }} run by ${{ github.actor }}
on:
  workflow_dispatch:
jobs:  
  demo:
    uses: JohnDoe/Actions/.github/workflows/main.yml@main
  secrets: inherit