A Github Action that can sync secrets from one repository to many others.
A Github Action that can sync secrets from one repository to many others. This action allows a maintainer to define and rotate secrets in a single repository and have them synced to all other repositories in the Github organization or beyond. Secrets do not need to be sensitive and could also be specific build settings that would apply to all repositories and become available to all actions. Regex is used to select the secrets and the repositories. Exclude is currently not supported and it is recommended to use a bot user if possible.
github_token
Required Token to use to get repos and write secrets.
${{secrets.GITHUB_TOKEN}}will not work.
repositories
Required New line deliminated regex expressions to select repositories. Repositires are limited to those in whcich the token user is an owner or collaborator. Set
repositories_list_regexto
Falseto use a hardcoded list of repositories. Archived repositories will be ignored.
repositories_list_regex
If this value is
true(default), the action will find all repositories available to the token user and filter based upon the regex provided. If it is false, it is expected that
repositorieswill be an a new line deliminated list in the form of org/name.
secrets
Required New line deliminated regex expressions to select values from
process.env. Use the action env to pass secrets from the repository in which this action runs with the
envattribute of the step.
retries
The number of retries to attempt when making Github calls when triggering rate limits or abuse limits. Defaults to 3.
concurrency
The number of allowed concurrent calls to the set secret endpoint. Lower this number to avoid abuse limits. Defaults to 10.
dry_run
Run everything except for secret create and update functionality.
uses: google/secrets-sync-action with: SECRETS: | ^FOO$ ^GITHUB_.* REPOSITORIES: | ${{github.repository}} DRY_RUN: true GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN_SECRETS }} CONCURRENCY: 10 env: FOO: ${{github.run_id}} FOOBAR: BAZ
See the workflows in this repository for another example.