When a job is used to call a reusable workflow, you can use secrets to provide a map of secrets that are passed to the called workflow.

Any secrets that you pass must match the names defined in the called workflow.

import { e, workflow } from 'https://deno.land/x/actionify@0.3.0/mod.ts';

const ci = workflow({ name: 'ci' })
  .on('push')
  .job('call-workflow', (job) => job
    .uses('octo-org/example-repo/.github/workflows/called-workflow.yml')
    .secrets((ctx) => ({
      'access-token': e.expr(ctx.secrets.PERSONAL_ACCESS_TOKEN)
    }))
  );

Use the inherit keyword to pass all the calling workflow's secrets to the called workflow. This includes all secrets the calling workflow has access to, namely organization, repository, and environment secrets. The inherit keyword can be used to pass secrets across repositories within the same organization, or across organizations within the same enterprise.

import { e, Runner, workflow } from 'https://deno.land/x/actionify@0.3.0/mod.ts';

const ci = workflow({ name: 'ci' })
  .on('workflow_dispatch')
  .job('pass-secrets-to-workflow', (job) => job
    .uses('./.github/workflows/called-workflow.yml')
    .secrets('inherit')
  );

const reusable = workflow({ name: 'called-workflow' })
  .on('workflow_call')
  .job('pass-secret-to-action', job => job
    .runsOn(Runner.UbuntuLatest)
    .step(step => step
      .name('Use a repo or org secret from the calling workflow')
      .run(ctx => `echo ${e.expr(ctx.secrets.CALLING_WORKFLOW_SECRET)}`)
    )
  );