Pass secrets between jobs using reusable workflows

Question

I have a reusable workflow which expect some secrets to be passed. But these secrets are stored in a self-hosted vault. How can I fetch the secrets from vault through a job and pass it to a reusable workflow. I've tried passing the secret via outputs of the parent job, but it does not work, since Github skips the secrets being passed via output and shows the message Skip output 'TOKEN' since it may contain secret..

I've also tried to encrypt the secrets fetched from parent job(tf-prepare) and decrypt during the workflow call(tf-run), but that does not work as well.

jobs:
  tf-prepare:
    runs-on: ubuntu-latest
    outputs:
      TOKEN: ${{ steps.secret_output.outputs.TOKEN }}
    steps:
      - name: Get Terraform secrets
        id: secrets
        uses: hashicorp/[email protected]
        with:
          url: <vault_url>
          method: approle
          roleId: ${{ secrets.VAULT_ROLE_ID }}
          secretId: ${{ secrets.VAULT_SECRET_ID }}
          namespace: <namespace>
          secrets: |
            secret/data/tokens token | TOKEN ;
      - id: secret_output
        shell: bash
        run: |
          echo -n "TOKEN=$(echo -n '${{ steps.secrets.outputs.TOKEN }}' | gpg --symmetric --quiet --batch --passphrase ${{ secrets.PASSPHRASE }} --output - | base64 -w0)" >> "$GITHUB_OUTPUT"
  

  tf-run:
    needs: [tf-prepare]
    name: Terraform run
    uses: <reusable_workflow_url>
    secrets:
      input_vars: |
        token=$(echo -n '${{ needs.tf-prepare.outputs.TOKEN }}' | base64 -d | gpg --decrypt --quiet --batch --passphrase ${{ secrets.PASSPHRASE }} --output -)
        vault_role_id=${{ secrets.VAULT_ROLE_ID }}
        vault_secret_id=${{ secrets.VAULT_SECRET_ID }}

Error:

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: decoding response: invalid character '<' looking for beginning of value

I'm guessing in this case, it's not evaluating the expression $(echo -n '${{ needs.tf-prepare.outputs.TOKEN }}' | base64 -d | gpg --decrypt --quiet --batch --passphrase ${{ secrets.PASSPHRASE }} --output -) which decodes and decrypts the secret being passed from tf-prepare.

How can one securely pass the secrets which are not stored in Github repository securely to a reusable workflow?

On a related note, is there a way to use secret: inherit to make this work?