Need help with secrets-sync-action?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

google
198 Stars 80 Forks Apache License 2.0 41 Commits 5 Opened issues

Description

A Github Action that can sync secrets from one repository to many others.

Services available

!
?

Need anything else?

Contributors list

Secrets Sync Action

Build Release codecov GitHub contributors semantic-release

A Github Action that can sync secrets from one repository to many others. This action allows a maintainer to define and rotate secrets in a single repository and have them synced to all other repositories in the Github organization or beyond. Secrets do not need to be sensitive and could also be specific build settings that would apply to all repositories and become available to all actions. Regex is used to select the secrets and the repositories. Exclude is currently not supported and it is recommended to use a bot user if possible.

Inputs

github_token

Required Token to use to get repos and write secrets.

${{secrets.GITHUB_TOKEN}}
will not work.

repositories

Required Newline delimited regex expressions to select repositories. Repositories are limited to those in which the token user is an owner or collaborator. Set

repositories_list_regex
to
False
to use a hardcoded list of repositories. Archived repositories will be ignored.

github_api_url

Override default GitHub API URL. When not provided, the action will attempt to use an environment variable provided by the GitHub Action runner environment defaults.

repositories_list_regex

If this value is

true
(default), the action will find all repositories available to the token user and filter based upon the regex provided. If it is
false
, it is expected that
repositories
will be an a newline delimited list in the form of org/name.

secrets

Required Newline delimited regex expressions to select values from

process.env
. Use the action env to pass secrets from the repository in which this action runs with the
env
attribute of the step.

retries

The number of retries to attempt when making Github calls when triggering rate limits or abuse limits. Defaults to 3.

concurrency

The number of allowed concurrent calls to the set secret endpoint. Lower this number to avoid abuse limits. Defaults to 10.

dry_run

Run everything except for secret create and update functionality.

delete

When set to

true
, the action will find and delete the selected secrets from repositories. Defaults to
false
.

Usage

uses: google/secrets-sync-action
  with:
    SECRETS: |
      ^FOO$
      ^GITHUB_.*
    REPOSITORIES: |
      ${{github.repository}}
    DRY_RUN: true
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN_SECRETS }}
    GITHUB_API_URL: ${{ secrets.CUSTOM_GITHUB_API_URL }}
    CONCURRENCY: 10
  env:
    FOO: ${{github.run_id}}
    FOOBAR: BAZ

See the workflows in this repository for another example.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.