From f0f6e62b1e997f0106fb425402d00774ab6282d9 Mon Sep 17 00:00:00 2001
From: Hubert Ott <hubert.ott@aligent.com.au>
Date: Mon, 30 Mar 2026 14:09:16 +1030
Subject: [PATCH] feat(workflow): Allow explicit AWS_SECRET_ACCESS_KEY input
 and improve docs

---
 .../workflows/nx-serverless-deployment.yml    |  4 ++++
 docs/nx-serverless-deployment.md              | 22 +++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/.github/workflows/nx-serverless-deployment.yml b/.github/workflows/nx-serverless-deployment.yml
index caf1648..9d88541 100644
--- a/.github/workflows/nx-serverless-deployment.yml
+++ b/.github/workflows/nx-serverless-deployment.yml
@@ -26,6 +26,9 @@ on:
         type: boolean
         required: false
         default: false
+    secrets:
+      AWS_SECRET_ACCESS_KEY:
+        required: false
 
 jobs:
   deploy:
@@ -71,6 +74,7 @@ jobs:
 
           if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
             echo "❌ Error: AWS_SECRET_ACCESS_KEY is not defined as a secret in your $ENVIRONMENT environment"
+            echo "or passed in via an external secret from the calling workflow"
             exit 1
           fi
 
diff --git a/docs/nx-serverless-deployment.md b/docs/nx-serverless-deployment.md
index 4f8faec..46cd11f 100644
--- a/docs/nx-serverless-deployment.md
+++ b/docs/nx-serverless-deployment.md
@@ -21,6 +21,9 @@ These should be configured in your GitHub Environment (or at the repository leve
 | `CFN_ROLE` | ✅ | Secret | CloudFormation role ARN to assume |
 | `AWS_REGION` | ❌ | Variable | AWS Region to deploy to (defaults to ap-southeast-2) |
 
+
+**Note:** If calling this workflow from an external GitHub organisation, you will need to pass the AWS_SECRET_ACCESS_KEY explicitly (see example below).
+
 #### Example Usage
 
 ```yaml
@@ -47,4 +50,23 @@ jobs:
     with:
       environment: ${{ github.ref_name == 'production' && 'Production' || 'Staging' }}
       package-manager: npm
+```
+
+```yaml
+name: 🚀 Deploy
+
+on:
+  push:
+    branches:
+      - staging
+      - production
+
+jobs:
+  deploy:
+    uses: aligent/workflows/.github/workflows/nx-serverless-deployment.yml@main
+    with:
+      environment: ${{ github.ref_name == 'production' && 'Production' || 'Staging' }}
+      package-manager: npm
+    secrets:
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 ```
\ No newline at end of file