Internal reusable GitHub workflow - using secrets in repository where workflow is

Question

I am building a GitHub reusable workflow to act as a CI/CD pipeline for other repositories to use in our GitHub organization. Right now, the callee repository would need to pass in service principal credentials that the reusable workflow would use to login to azure, retrieve other secrets, etc. I was wondering if there was any possible way that the secrets that belong to the repository where the reusable workflow lives (say repo A) would be accessible when another workflow (say repo B) calls the reusable workflow, so that they do not need to pass in service principal creds or use the Azure/login action prior to calling the workflow. This would make it much easier so teams wouldn't be required to create a new service principal and configure permissions to our key vault in order to use the reusable workflow. Instead, only the one service principal (with creds stored as a secret in repo A) would be used.

I know this is possible with organization secrets, but we would want to ensure that that org secret would only be used in the context of the reusable workflow, and not capable of being used by other workflows. Basically, we need a way to have service principal creds consumable by every repository in our GitHub organization that wants to use the reusable workflow, but only in the context of the reusable workflow. I have been looking into using OIDC w/ Azure login, but since that is scoped to only specific repositories, didn't think it would work if we scoped it to repository A when the workflow is technically being ran in repository B.

Answer 1

我使用OpenID Connect和 Azure/login 操作找到了解决此问题的方法。