Can't I use the secret value of the repository when using the Github Action of another repository?

Question

I'm making a Github Action for the launch of Marketplace. https://github.com/dooboolab/relay-schema-bot

Can't I use the secret value of the repository when using the Github Action of another repository?

In other words, I want to use the secret value of the repository to be called, not the secret value of the calling side.

I want to do it in a way other than this. because the secret value of the Jay-flow/relay-schema-bot repository is not used.

name: Relay Schema bot

on:
  push:
    branches:
      - master
    paths:
      - 'schema.graphql'

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: dooboolab/relay-schema-bot@master
        with:
          token: ${{ secrets.PAT }}
          repo-url: https://github.com/Jay-flow/artifacts-pro

          # I don't want to enter it as below.
          # because the secret value of the Jay-flow/relay-schema-bot repository is not used.
          app-id: ${{ secrets.APP_ID }}
          app-private-key: ${{ secrets.APP_PRIVATE_KEY }}

The APP_PRIVATE_KEY value is required to make a pull request from the Github application I created. The problem is that the user should not know this value. Is there any way to make this possible?

Note https://github.com/dooboolab/relay-schema-bot/blob/master/src/createPullRequest.ts#L18

Answer 1

This does not seem possible, from the documentation encrypted secret.

• either the user of your action is able to provide the secret which will enable said action to create PR on the target repository
• or your action might call a dedicated action on that target repo, and said dedicated action would be in charge to return the appropriate secret.
  But then, nothing would prevent another user to call the same dedicated action on the target repository: the secret would be a secret no more.