can't use GitHub secrets in repo-specific setup

[marten-seemann]

I need to pass the GitHub Token to a job configured in the repo-specific setup. We just started compiling our protobufs in CI (libp2p/go-libp2p#1986), and we need to install protoc for that, and unless we use the GitHub Token as described in https://github.com/arduino/setup-protoc#usage, we'll run into rate limits pretty quickly.

Now it's not possible to use ${{ secrets.GITHUB_TOKEN }} in a composite step, see the following failure:
https://github.com/libp2p/go-libp2p/actions/runs/3899398859/jobs/6659026659

I assume this is because the composite action doesn't have access to the secrets. I haven't found anything about that in the documentation (I didn't do a comprehensive search though). Since we trust our composite action steps (they're checked into the same repository as the go-test / go-check workflow, after all), I can't see a problem with passing the GitHub token, or even the entire secrets object, if that's possible, to the composite action.

@galargh What do you think? Does that make sense? If so, go-libp2p would like to test this as an early adopter :)

[galargh]

We can't use secrets but we do have access to the token through github context. I made the change here - libp2p/go-libp2p@4d50e22 - and here's successful run - https://github.com/libp2p/go-libp2p/actions/runs/3900757127/jobs/6661794054.

[marten-seemann]

It works! Thank you for the quick reply @galargh!

Should this be documented in the README? This is probably not the last time somebody will run into this issue.

[galargh]

Good idea! I'm on it.