{"id":20268491,"url":"https://github.com/infisical/secrets-action","last_synced_at":"2025-04-11T03:40:08.644Z","repository":{"id":237966178,"uuid":"795503506","full_name":"Infisical/secrets-action","owner":"Infisical","description":"Inject Infisical secrets into your Github workflows","archived":false,"fork":false,"pushed_at":"2025-03-21T13:25:59.000Z","size":679,"stargazers_count":25,"open_issues_count":4,"forks_count":11,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-03T13:48:46.952Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://infisical.com","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Infisical.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-03T12:28:17.000Z","updated_at":"2025-04-02T19:05:28.000Z","dependencies_parsed_at":"2024-07-10T06:13:40.731Z","dependency_job_id":"fd73bcc5-9853-439a-92f0-b975981ed1df","html_url":"https://github.com/Infisical/secrets-action","commit_stats":null,"previous_names":["infisical/secrets-loader-action","infisical/secrets-action"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Infisical%2Fsecrets-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Infisical%2Fsecrets-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Infisical%2Fsecrets-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Infisical%2Fsecrets-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Infisical","download_url":"https://codeload.github.com/Infisical/secrets-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248339176,"owners_count":21087212,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T12:18:33.966Z","updated_at":"2025-04-11T03:40:08.629Z","avatar_url":"https://github.com/Infisical.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Infisical Secrets Action\n\nThis GitHub Action enables you to import secrets from Infisical—whether hosted in the cloud or self-hosted—directly into your GitHub workflows.\n\n## Configuration\n\n- In order to use this, you will need to configure a [Machine Identity](https://infisical.com/docs/documentation/platform/identities/machine-identities) for your project.\n- This action supports two ways to authenticate your workflows with Infisical - [OIDC](https://infisical.com/docs/documentation/platform/identities/oidc-auth/github) and [universal auth](https://infisical.com/docs/documentation/platform/identities/universal-auth).\n\n### OIDC Auth\n\n- Configure a machine identity to use the \"OIDC Auth\" method. Set the bound audience, bound subject, and bound claims as needed for your setup. Refer to the setup guide [here](https://infisical.com/docs/documentation/platform/identities/oidc-auth/github).\n- Get the machine identity's ID.\n- Set `method` to oidc and configure the `identity-id` input parameter. Optionally, customize the JWT's aud field by setting the `oidc-audience` input parameter.\n- For debugging OIDC configuration issues, you can use GitHub's [actions-oidc-debugger](https://github.com/github/actions-oidc-debugger) tool. This tool helps you inspect the JWT claims and verify they match your configuration.\n- Add `id-token: write` to the permissions for your workflow:\n```\npermissions:\n  id-token: write\n  contents: read\n```\n\n### Universal Auth\n\n- Configure a machine identity to have an auth method of \"Universal Auth\".\n- Get the machine identity's `client_id` and `client_secret` and store them as Github secrets (recommended) or environment variables.\n- Set the `client-id` and `client-secret` input parameters.\n\n## Usage\n\nWith this action, you can use your Infisical secrets in two ways: as environment variables or as a file.\n\n### As environment variables\n\nSecrets are injected as environment variables and can be referenced by subsequent workflow steps.\n\n```yaml\n- uses: Infisical/secrets-action@v1.0.9\n  with:\n    method: \"oidc\"\n    identity-id: \"24be0d94-b43a-41c4-812c-1e8654d9ce1e\"\n    domain: \"https://app.infisical.com\" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance\n    env-slug: \"dev\"\n    project-slug: \"cli-integration-tests-9-edj\"\n```\n\n### As a file\n\nExports secrets to a file in your `GITHUB_WORKSPACE`, useful for applications that read from `.env` files.\n\n```yaml\n- uses: Infisical/secrets-action@v1.0.9\n  with:\n    method: \"oidc\"\n    identity-id: \"24be0d94-b43a-41c4-812c-1e8654d9ce1e\"\n    domain: \"https://app.infisical.com\" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance\n    env-slug: \"dev\"\n    project-slug: \"cli-integration-tests-9-edj\"\n    export-type: \"file\"\n    file-output-path: \"/src/.env\" # defaults to \"/.env\"\n```\n\n**Note**: Make sure to configure an `actions/checkout` step before using this action in file export mode\n\n```yaml\nsteps:\n  - name: Checkout code\n    uses: actions/checkout@v4\n```\n\n## Inputs\n\n### `method`\n\n**Optional**. The authentication method to use. Defaults to `universal`. Possible values are `universal` and `oidc`\n\n### `client-id`\n\n**Optional**. Machine Identity client ID\n\n### `client-secret`\n\n**Optional**. Machine Identity secret key\n\n### `identity-id`\n\n**Optional**. Machine Identity ID\n\n### `oidc-audience`\n\n**Optional**. Custom aud claim for the signed Github ID token\n\n### `project-slug`\n\n**Required**. Source project slug\n\n### `env-slug`\n\n**Required**. Source environment slug\n\n### `domain`\n\n**Optional**. Infisical URL. Defaults to https://app.infisical.com. If you're using Infisical EU (https://eu.infisical.com) or a self-hosted/dedicated instance, you will need to set the appropriate value for this field.\n\n### `export-type`\n\n**Optional**. If set to `env`, it will set the fetched secrets as environment variables for subsequent steps of a workflow. If set to `file`, it will export the secrets in a .env file in the defined file-output-path. Defaults to `env`\n\n### `file-output-path`\n\n**Optional**. The path to save the file when export-type is set to `file`. Defaults to `/.env`\n\n### `secret-path`\n\n**Optional**. Source secret path. Defaults to `/`.  Example: `/my-secret-path`.\n\n### `include-imports`\n\n**Optional**. If set to `true`, it will include imported secrets. Defaults to `true`\n\n### `recursive`\n\n**Optional**. If set to `true`, it will fetch all secrets from the specified base path and all of its subdirectories. Defaults to `false`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfisical%2Fsecrets-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finfisical%2Fsecrets-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finfisical%2Fsecrets-action/lists"}