ISSUE-302 High Quick CLI CI/CD Secrets
Reusable workflow called with `secrets: inherit`
Control: Reusable workflow must not use `secrets: inherit` · Config key: reusableWorkflowsMustNotInheritSecrets
📋 What is this?
A caller workflow passes secrets: inherit to a reusable workflow, handing it every secret the caller has access to.
⚠️ Impact
Inheriting is the wrong default. The callee — often a third-party reusable workflow — sees secrets it should never see. A compromise of the callee becomes a compromise of every caller's secret surface.
🔧 How to fix
Replace secrets: inherit with an explicit list naming only the secrets the callee actually needs.
✗ Before The callee receives every secret the caller can reach.
# .github/workflows/release.yml — ❌ Inherits everythingjobs: publish: uses: my-org/shared-workflows/.github/workflows/publish.yml@v1 secrets: inherit✓ After The callee only sees the one secret it needs.
# .github/workflows/release.yml — ✅ Named-secrets onlyjobs: publish: uses: my-org/shared-workflows/.github/workflows/publish.yml@a1b2c3d4e5f6... secrets: NPM_TOKEN: ${{ secrets.NPM_TOKEN }}💡 Tips
- Look at the callee's
on: workflow_call: secrets:block to know exactly what to pass. - If you author the reusable workflow, list each
secrets:block explicitly — never acceptinheritunconditionally.
⚙️ Configuration
This control is configured in .plumber.yaml under the github section:
github:
controls:
reusableWorkflowsMustNotInheritSecrets:
enabled: trueSee the CLI documentation for the full configuration reference.