How to access secrets in Javascript GitHub actions?

Question

I am developing a reusable workflow using Javascript actions by following this tutorial. My action.yml looks like this.

name: "Test"
description: "Reusable workflow"
inputs:
  input-one:
    required: false
    type: string

runs:
  using: 'node16'
  main: 'dist/index.js'

But my question is how to access the secrets in dist/index.js?. Please note that I don't want the user to supply the secret as input, I would like to store the secret in my reusable workflow repository and use it whenever it's needed.

I tried to change the action.yml with env(So that I can use node process.env API to get the secret) but it's failing with an error saying that Unexpected value 'env'.

name: "Test"
description: "Reusable workflow"
inputs:
  input-one:
    required: false
    type: string

runs:
  using: 'node16'
  main: 'dist/index.js'
  env: 
    DUMMY_VAL: ${{ secrets.MY_REPOSITORY_SECRET }}

Answer 1

On GitHub.com, navigate to the main page of the repository. Under your repository name, click Settings. In the "Security" section of the sidebar, select Secrets, then click Actions. Click New repository secret. Credit: Google

Answer 2

I don't think that's possible. That would be somewhat a security vulnerability.

Examples clearly show that secrets have to be explicitly passed https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow

You can experiment with default value for it but looks like it's not supported for workflows. https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets

It would look like this (probably won't work):

on:
  workflow_call:
    secrets:
      access-token:
        description: 'Your secret'
        required: false
        default: ${{ secrets.your-secret }}

If it doesn't work you can try suggesting it as a feature here: https://github.com/orgs/community/discussions/categories/actions-and-packages