Create the reusable workflow in a .github/workflows/ file and declare on: workflow_call: with typed inputs (string, boolean, number) and named secrets in the workflow_call trigger block
Call the workflow from another workflow using a job's uses key: jobs: deploy: uses: ORG/REPO/.github/workflows/deploy.yml@main with the inputs: and secrets: maps populated by the caller
Pass all caller secrets without enumerating them by using secrets: inherit in the caller job; this propagates every secret in scope to the called workflow without listing each one
Chain reusable workflows up to a depth of ten levels; each level can pass outputs back to the caller via jobs.<job_id>.outputs declared in the called workflow and referenced with needs.<job>.outputs.<name> in the caller
Pin the called workflow to a commit SHA rather than a branch name for production callers: uses: ORG/REPO/.github/workflows/deploy.yml@SHA — this prevents unexpected changes in the shared workflow from breaking callers
Store reusable workflows in a dedicated .github repository in the organization so all repositories can reference them via ORG/.github/.github/workflows/ without granting broad repo access
Known gotchas
Environment secrets (scoped to a GitHub deployment environment) are not passed through workflow_call; only repository and organization secrets are available to reusable workflows via secrets: inherit
A reusable workflow runs in the context of the called repository, not the caller; this affects which secrets and variables are accessible and which runner group is used if the called repo uses a different runner configuration
You cannot call a reusable workflow and a local job's steps in the same job — a job either uses 'uses' (calls a reusable workflow) or 'steps', not both
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp