This page explains how to consume reusable workflows and composite actions from
ITlusions/ITL.Github in your own repository.
- Your repository is in the
ITlusionsGitHub organization, orITlusions/ITL.Githubis set to public. - A
GH_PATsecret is configured in your repository for workflows that require cross-repo access (e.g. checking out a dependency).
jobs:
ci:
uses: ITlusions/ITL.Github/.github/workflows/_reusable-ci-python.yml@main
with:
python-version: "3.12"
artifact-name: "myproject-wheel"
secrets:
gh-pat: ${{ secrets.GH_PAT }}- The
with:block maps to theinputs:of the called workflow. - The
secrets:block passes named secrets. Only secrets explicitly declared in the reusable workflow can be forwarded. @mainalways uses the latest version of the workflow. See Versioning for pinning strategies.
steps:
- uses: ITlusions/ITL.Github/actions/setup-python-env@main
with:
python-version: "3.12"
extra-install: "pip install -e ."Composite actions are used inside steps:, unlike reusable workflows which are used inside jobs:.
Reusable workflows only accept secrets that are explicitly declared in their on.workflow_call.secrets block.
You cannot forward secrets: inherit unless the called workflow opts in.
jobs:
publish:
uses: ITlusions/ITL.Github/.github/workflows/_reusable-publish-pypi.yml@main
with:
artifact-name: "myproject-wheel"
commit-sha: ${{ github.sha }}
environment: "production"
# No secrets needed — this workflow uses OIDC (no PAT required)| Secret | Used by | Purpose |
|---|---|---|
GH_PAT |
_reusable-ci-docker.yml, _reusable-auto-tag.yml, _reusable-docker-retag.yml |
Cross-repo checkout and tag push |
Some workflows require explicit permissions: in the calling workflow file:
jobs:
release:
permissions:
contents: write # required by _reusable-release-gh.yml
id-token: write # required by _reusable-publish-pypi.yml (OIDC)
actions: read # required to download artifacts from other runs
uses: ITlusions/ITL.Github/.github/workflows/_reusable-release-gh.yml@main
with:
tag: "v1.2.3"