{"id":14070612,"url":"https://github.com/google-github-actions/get-secretmanager-secrets","last_synced_at":"2025-04-06T09:11:12.013Z","repository":{"id":37467101,"uuid":"308778069","full_name":"google-github-actions/get-secretmanager-secrets","owner":"google-github-actions","description":"A GitHub Action for accessing secrets from Google Secret Manager and making them available as outputs.","archived":false,"fork":false,"pushed_at":"2024-08-06T01:25:10.000Z","size":2689,"stargazers_count":145,"open_issues_count":0,"forks_count":32,"subscribers_count":9,"default_branch":"main","last_synced_at":"2024-10-14T01:07:19.500Z","etag":null,"topics":["actions","gcp","github-actions","google-cloud","google-cloud-platform","google-secret-manager","secret-manager","secrets"],"latest_commit_sha":null,"homepage":"https://cloud.google.com/secret-manager","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google-github-actions.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-31T01:09:39.000Z","updated_at":"2024-09-25T23:25:39.000Z","dependencies_parsed_at":"2023-12-08T21:23:50.561Z","dependency_job_id":"71609b51-1647-408a-946b-bcf09a57a486","html_url":"https://github.com/google-github-actions/get-secretmanager-secrets","commit_stats":{"total_commits":194,"total_committers":9,"mean_commits":"21.555555555555557","dds":0.5773195876288659,"last_synced_commit":"95a0b09b8348ef3d02c68c6ba5662a037e78d713"},"previous_names":[],"tags_count":28,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Fget-secretmanager-secrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Fget-secretmanager-secrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Fget-secretmanager-secrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Fget-secretmanager-secrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google-github-actions","download_url":"https://codeload.github.com/google-github-actions/get-secretmanager-secrets/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246290648,"owners_count":20753730,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","gcp","github-actions","google-cloud","google-cloud-platform","google-secret-manager","secret-manager","secrets"],"created_at":"2024-08-13T07:07:56.319Z","updated_at":"2025-03-30T08:09:15.223Z","avatar_url":"https://github.com/google-github-actions.png","language":"TypeScript","funding_links":[],"categories":["TypeScript"],"sub_categories":[],"readme":"# get-secretmanager-secrets\n\nThis action fetches secrets from [Secret Manager][sm] and makes them available\nto later build steps via outputs. This is useful when you want Secret Manager to\nbe the source of truth for secrets in your organization, but you need access to\nthose secrets in build steps.\n\nSecrets that are successfully fetched are set as output variables and can be\nused in subsequent actions. After a secret is accessed, its value is added to\nthe mask of the build to reduce the chance of it being printed or logged by\nlater steps.\n\n**This is not an officially supported Google product, and it is not covered by a\nGoogle Cloud support contract. To report bugs or request features in a Google\nCloud product, please contact [Google Cloud\nsupport](https://cloud.google.com/support).**\n\n\n## Prerequisites\n\n-   This action requires Google Cloud credentials that are authorized to access\n    the secrets being requested. See [Authorization](#authorization) for more\n    information.\n\n-   This action runs using Node 20. If you are using self-hosted GitHub Actions\n    runners, you must use a [runner\n    version](https://github.com/actions/virtual-environments) that supports this\n    version or newer.\n\n## Usage\n\n```yaml\njobs:\n  job_id:\n    permissions:\n      contents: 'read'\n      id-token: 'write'\n\n    steps:\n    - id: 'auth'\n      uses: 'google-github-actions/auth@v2'\n      with:\n        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'\n        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'\n\n    - id: 'secrets'\n      uses: 'google-github-actions/get-secretmanager-secrets@v2'\n      with:\n        secrets: |-\n          token:my-project/docker-registry-token\n\n    # Example of using the output\n    - id: 'publish'\n      uses: 'foo/bar@v1'\n      env:\n        TOKEN: '${{ steps.secrets.outputs.token }}'\n```\n\n\n## Inputs\n\n\u003c!-- BEGIN_AUTOGEN_INPUTS --\u003e\n\n-   \u003ca name=\"secrets\"\u003e\u003c/a\u003e\u003ca href=\"#user-content-secrets\"\u003e\u003ccode\u003esecrets\u003c/code\u003e\u003c/a\u003e: _(Required)_ List of secrets to access and inject into the environment. These are\n    comma-separated or newline-separated `OUTPUTNAME:SECRET`. Output names or\n    secret names that contain separators must be escaped with a backslash\n    (e.g. `\\,` or `\\\\n`) unless quoted. Any leading or trailing whitespace is\n    trimmed unless values are quoted.\n\n    ```yaml\n    secrets: |-\n      output1:my-project/my-secret1\n      output2:my-project/my-secret2\n    ```\n\n    Secrets can be referenced using the following formats:\n\n    ```text\n    # Long form\n    projects/\u003cproject-id\u003e/secrets/\u003csecret-id\u003e/versions/\u003cversion-id\u003e\n\n    # Long form - \"latest\" version\n    projects/\u003cproject-id\u003e/secrets/\u003csecret-id\u003e\n\n    # Short form\n    \u003cproject-id\u003e/\u003csecret-id\u003e/\u003cversion-id\u003e\n\n    # Short form - \"latest\" version\n    \u003cproject-id\u003e/\u003csecret-id\u003e\n    ```\n\n-   \u003ca name=\"min_mask_length\"\u003e\u003c/a\u003e\u003ca href=\"#user-content-min_mask_length\"\u003e\u003ccode\u003emin_mask_length\u003c/code\u003e\u003c/a\u003e: _(Optional, default: `4`)_ Minimum line length for a secret to be masked. Extremely short secrets\n    (e.g. `{` or `a`) can make GitHub Actions log output unreadable. This is\n    especially important for multi-line secrets, since each line of the secret\n    is masked independently.\n\n-   \u003ca name=\"export_to_environment\"\u003e\u003c/a\u003e\u003ca href=\"#user-content-export_to_environment\"\u003e\u003ccode\u003eexport_to_environment\u003c/code\u003e\u003c/a\u003e: _(Optional)_ Make the fetched secrets additionally available as environment variables.\n\n-   \u003ca name=\"encoding\"\u003e\u003c/a\u003e\u003ca href=\"#user-content-encoding\"\u003e\u003ccode\u003eencoding\u003c/code\u003e\u003c/a\u003e: _(Optional, default: `utf8`)_ Encoding in which secrets will be exported into outputs (and environment\n    variables if `export_to_environment` is true). For secrets that cannot be\n    represented in text, such as encryption key bytes, choose an encoding that\n    has a safe character such as `base64` or `hex`. For more information about\n    available encoding types, please see the [Node.js Buffer and character\n    encodings](https://nodejs.org/docs/latest/api/buffer.html#buffers-and-character-encodings).\n\n-   \u003ca name=\"universe\"\u003e\u003c/a\u003e\u003ca href=\"#user-content-universe\"\u003e\u003ccode\u003euniverse\u003c/code\u003e\u003c/a\u003e: _(Optional, default: `googleapis.com`)_ The Google Cloud universe to use for constructing API endpoints. The\n    default universe is \"googleapis.com\", which corresponds to\n    https://cloud.google.com. Trusted Partner Cloud and Google Distributed\n    Hosted Cloud should set this to their universe address.\n\n\n\u003c!-- END_AUTOGEN_INPUTS --\u003e\n\n\n## Outputs\n\n\u003c!-- BEGIN_AUTOGEN_OUTPUTS --\u003e\n\n-   `secrets`: Each secret is prefixed with an output name. The secret's resolved access\n    value will be available at that output in future build steps. For example:\n\n    ```yaml\n    jobs:\n      job_id:\n        steps:\n        - id: 'secrets'\n          uses: 'google-github-actions/get-secretmanager-secrets@v2'\n          with:\n            secrets: |-\n              token:my-project/docker-registry-token\n    ```\n\n    will be available in future steps as the output:\n\n    ```text\n    steps.secrets.outputs.token\n    ```\n\n\n\u003c!-- END_AUTOGEN_OUTPUTS --\u003e\n\n\n## Authorization\n\nThere are a few ways to authenticate this action. The caller must have\npermissions to access the secrets being requested.\n\n### Via google-github-actions/auth\n\nUse [google-github-actions/auth](https://github.com/google-github-actions/auth)\nto authenticate the action. You can use [Workload Identity Federation][wif] or\ntraditional [Service Account Key JSON][sa] authentication.\n\n```yaml\njobs:\n  job_id:\n    permissions:\n      contents: 'read'\n      id-token: 'write'\n\n    steps:\n    - uses: 'actions/checkout@v4'\n\n    - id: 'auth'\n      uses: 'google-github-actions/auth@v2'\n      with:\n        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'\n        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'\n\n    - id: 'secrets'\n      uses: 'google-github-actions/get-secretmanager-secrets@v2'\n```\n\n### Via Application Default Credentials\n\nIf you are hosting your own runners, **and** those runners are on Google Cloud,\nyou can leverage the Application Default Credentials of the instance. This will\nauthenticate requests as the service account attached to the instance. **This\nonly works using a custom runner hosted on GCP.**\n\n```yaml\njobs:\n  job_id:\n    steps:\n    - id: 'secrets'\n      uses: 'google-github-actions/get-secretmanager-secrets@v2'\n```\n\nThe action will automatically detect and use the Application Default\nCredentials.\n\n\n[sm]: https://cloud.google.com/secret-manager\n[wif]: https://cloud.google.com/iam/docs/workload-identity-federation\n[sa]: https://cloud.google.com/iam/docs/creating-managing-service-accounts\n[gh-runners]: https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners\n[gh-secret]: https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets\n[setup-gcloud]: https://github.com/google-github-actions/setup-gcloud\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle-github-actions%2Fget-secretmanager-secrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle-github-actions%2Fget-secretmanager-secrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle-github-actions%2Fget-secretmanager-secrets/lists"}