The problem with reusable workflows

• The calling workflow usually needs to pass data to the reusable workflow
• GitHub limits the ways we can do that. Because security
• GHA calls these workflow inputs
• env/config data can be passed via with and secrets
• Example:

jobs:
  call-docker-build:
    name: Call Docker Build
    uses: bretfisher/docker-build-workflow/.github/workflows/reusable-docker-build.yaml@main
    secrets:
      dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
      dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
    with:
      dockerhub-enable: true
      image-names: ghcr.io/${{ github.repository }}
      tag-rules: |
        type=ref,event=pr
        type=raw,value=gha-${{ github.run_id }}

Passing data to reusable workflows

Reusable workflows accept data via inputs

1. First, let’s add an inputs array to our reusable workflow on:workflow_call: event
2. Next, we pass those input values to the Action steps: ${{ inputs.<input-name> }}
3. Then we’ll add matching with and secrets key:values to our calling workflow

Add input to the Trivy workflow in

<org>/actions/.github/workflows/reusable-trivy.yml

• Add these inputs lines under the workflow_call: event

on:
  workflow_call:
    inputs:
      image:
        description: Image to scan
        required: true
        type: string

• Then pass that value to the trivy action step at bottom

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.11.2
        with:
          image-ref: ${{ inputs.image }}