How are you meant to effectively use GitHub Actions in private projects?

Question

The limitations of GitHub Actions mean that you cannot have a shared workflow that needs secrets and you don't want to manually type them out in every action file. The secrets are not accessible from the org in public repos but also private env vars set by the parent are not passed in either?

Ref: how to split up common github actions in common files?

The "shared workflow" sets really basic SSH keys that are stored in private vars on the account. But the shared workflow cannot access them, and the parent cannot pass them in.

GitLab doesn't have this limitation, but aside from moving to GitLab is there another solution within GitHub?

Per https://docs.github.com/en/enterprise-cloud@latest/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise:

Warning: If you make an internal repository in your enterprise accessible to GitHub Actions workflows in other repositories, outside collaborators on the other repositories can indirectly access the internal repository, even though they do not have direct access to the internal repository. The outside collaborators can view logs for workflow runs when actions or workflows from the internal repository are used.

A shared workflow has to be public, a public workflow can't access your org's private keys. You can pass them in by hand, but this means you have to do it by hand for each and every service.

https://secrethub.io/docs/guides/github-actions/ can extend parent YAML files and all can access secrets set globally for a group, but their price point is too high for startups.

Answer 1

In your repository, .github/workflows/XXXXX.yml, you can update that file, and that can be used in actions. In that file, you can set secrets as an variable.