Why Your GitHub Actions Secrets Don't Work in Reusable Workflow Inputs

We recently migrated our Docker build workflows to use a shared reusable workflow . The migration looked straightforward: extract the build steps, parameterize the inputs, and call the shared workflow with secrets: inherit . CI immediately broke. Invalid workflow file (Line: 15, Col: 19): Unrecognized named-value: 'secrets' The fix took 20 minutes. Understanding why took longer, and every answer led to another "but wait" question. The Setup The calling workflow passed a Rails master key as a build arg: jobs : build : uses : our-org/shared/.github/workflows/build-image.yml@main secrets : inherit with : build_args : | RAILS_MASTER_KEY=${{ secrets.RAILS_MASTER_KEY }} This fails at parse time. GitHub validates the workflow file before anything runs and rejects secrets in that with: block. Job-Level with: Is Not Step-Level with: This is where it gets confusing, because with: appears in two very different places in a workflow file, and they have different rules. Step-level with: passes input