Search code examples
visual-studio-codegithub-actionsvscode-extensions

"Property secrets is not allowed" in GitHub Actions worflow

I am currently looking at a GitHub Actions workflow in VS Code:

name: FooBar

permissions:
  id-token: write
  contents: read

on:
  workflow_dispatch:
    inputs:
      environment:
        description: "Select env to deploy to"
        type: choice
        options:
          - dev
          - int
          - prod
    secrets:
      AWS_ACCOUNT_ID:
        required: true
      AWS_RUNNER_EXECUTION_ROLE:
        required: true

jobs:
   ...

When running the workflow in GitHub, everything works as expected. However, VS Code with the YAML extension highlights the secrets property in workflow_dispatch as "not allowed":

Screenshot of warning. Property secrets is not allowed.

More details:

  • VS Code: v1.92.2
  • YAML extension: v1.15.0

Is the usage of secrets wrong in this context? How would I otherwise pass secrets to a manually-callable workflow?

Solution

  • Please see workflow schema for workflow_dispatch here. It only allows inputs.

    Regarding access to secrets in workflows, GitHub documentation does not explicitly say that a workflow has access to all secrets defined in a repo. This is likely because it is self-evident.

    Secrets belong to us. Repo does not come with any predefined secrets provided by GitHub. GitHub introduced secrets feature to make it easy for us to use OUR secrets without leaking them. When you define a secret in a repo, GitHub does not allow you to specify what workflows can access it. Therefore, it follows that secrets can be accessed either by all workflows or none. The latter case where secrets are not accessible to any workflow makes no sense, hence the case of secrets accessible by all workflows is the only logical conclusion.

    There is only one secret that is provided by GitHub - GITHUB_TOKEN, a short-lived token which is provided by GitHub to each workflow job to allow that job to access repo code, publish packages and access GitHub API. This secret is ephemeral, it lives for the duration of the job. It can only be used by the job it was issued for. In fact, there are as many of these secrets at any given time as there are jobs running at that time.

    GutHub documentation primarily focuses on when secrets are not accessible, such as in reusable workflows or when a modified workflow is triggered by pull requests from forked repo. This emphasis on the exceptions clarifies the default behaviour of secrets being accessible by repo workflows.