{"id":34745060,"url":"https://github.com/keywaysh/keyway-action","last_synced_at":"2026-05-21T12:38:12.465Z","repository":{"id":328248835,"uuid":"1114431199","full_name":"keywaysh/keyway-action","owner":"keywaysh","description":"GitHub Action to pull secrets from Keyway and inject them into your CI/CD workflows","archived":false,"fork":false,"pushed_at":"2026-02-02T21:36:45.000Z","size":415,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-03T10:59:32.234Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/keywaysh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-11T11:09:58.000Z","updated_at":"2026-02-02T21:36:02.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/keywaysh/keyway-action","commit_stats":null,"previous_names":["keywaysh/keyway-action"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/keywaysh/keyway-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keywaysh%2Fkeyway-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keywaysh%2Fkeyway-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keywaysh%2Fkeyway-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keywaysh%2Fkeyway-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/keywaysh","download_url":"https://codeload.github.com/keywaysh/keyway-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/keywaysh%2Fkeyway-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33301032,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-21T12:23:38.849Z","status":"ssl_error","status_checked_at":"2026-05-21T12:22:11.673Z","response_time":62,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-12-25T04:30:32.037Z","updated_at":"2026-05-21T12:38:12.443Z","avatar_url":"https://github.com/keywaysh.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Keyway Secrets GitHub Action\n\n[![.env by Keyway](https://keyway.sh/badge.svg?repo=keywaysh/keyway-action)](https://keyway.sh)\n\nPull secrets from your [Keyway](https://keyway.sh) vault and export them as environment variables in your GitHub Actions workflows.\n\n## Features\n\n- Pull secrets from Keyway vault for any environment\n- Export secrets as GitHub Actions environment variables\n- Optionally write secrets to a `.env` file\n- Automatic secret masking in workflow logs\n- Support for self-hosted/enterprise Keyway installations\n\n## Quick Start\n\n```yaml\n- uses: keywaysh/keyway-action@v1\n  with:\n    token: ${{ secrets.KEYWAY_TOKEN }}\n```\n\n## Usage\n\n### Basic Usage\n\nPull secrets and export as environment variables:\n\n```yaml\njobs:\n  deploy:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - uses: keywaysh/keyway-action@v1\n        with:\n          token: ${{ secrets.KEYWAY_TOKEN }}\n\n      - name: Use secrets\n        run: |\n          echo \"Database: $DATABASE_URL\"\n          ./deploy.sh\n```\n\n### Multiple Environments\n\n```yaml\njobs:\n  test:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: keywaysh/keyway-action@v1\n        with:\n          token: ${{ secrets.KEYWAY_TOKEN }}\n          environment: staging\n\n  deploy:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: keywaysh/keyway-action@v1\n        with:\n          token: ${{ secrets.KEYWAY_TOKEN }}\n          environment: cicd\n```\n\n### Write to .env File\n\n```yaml\n- uses: keywaysh/keyway-action@v1\n  with:\n    token: ${{ secrets.KEYWAY_TOKEN }}\n    env-file: .env\n    export-env: false\n```\n\n### Full Options\n\n```yaml\n- uses: keywaysh/keyway-action@v1\n  with:\n    # Required: Keyway authentication token\n    token: ${{ secrets.KEYWAY_TOKEN }}\n\n    # Vault environment (default: cicd)\n    environment: cicd\n\n    # Repository in owner/repo format (auto-detected)\n    repository: owner/repo\n\n    # Export secrets as GitHub env vars (default: true)\n    export-env: true\n\n    # Write secrets to .env file (optional)\n    env-file: .env\n\n    # Mask secret values in logs (default: true)\n    mask-values: true\n\n    # API URL for self-hosted (default: https://api.keyway.sh)\n    api-url: https://api.keyway.sh\n```\n\n## Inputs\n\n| Input | Description | Required | Default |\n|-------|-------------|----------|---------|\n| `token` | Keyway API key or GitHub PAT | Yes | - |\n| `environment` | Vault environment | No | `cicd` |\n| `repository` | Repository (owner/repo) | No | Auto-detected |\n| `export-env` | Export as env vars | No | `true` |\n| `env-file` | Write to .env file | No | - |\n| `mask-values` | Mask values in logs | No | `true` |\n| `api-url` | Keyway API URL | No | `https://api.keyway.sh` |\n\n## Outputs\n\n| Output | Description |\n|--------|-------------|\n| `secrets-count` | Number of secrets pulled |\n| `environment` | Environment that was used |\n\n## Getting a Keyway Token\n\n### Option 1: Keyway API Key (Recommended)\n\nAPI keys are the most secure option for CI/CD:\n\n1. Go to your [Keyway Dashboard](https://app.keyway.sh/api-keys)\n2. Click \"Create Key\" and select the `read:secrets` scope\n3. Copy the generated key (starts with `kw_live_...`)\n4. Add it as your `KEYWAY_TOKEN` secret\n\n**Benefits of API keys:**\n- Scoped permissions (only what's needed)\n- Optional expiration dates\n- No access to your GitHub account\n- Usage tracking and audit logs\n\n### Option 2: GitHub Personal Access Token\n\n1. Create a [fine-grained PAT](https://github.com/settings/tokens?type=beta) with:\n   - **Repository access**: Select the repos you want to use with Keyway\n   - **Permissions**: Metadata → Read-only (no other permissions needed)\n2. Use this PAT as your `KEYWAY_TOKEN`\n\n### Option 3: Keyway Token via CLI\n\n1. Run `npx @keywaysh/cli login --token` and follow the prompts\n2. The CLI will guide you through creating a GitHub PAT\n3. Use that same PAT as your `KEYWAY_TOKEN` in GitHub Actions\n\n\u003e **Note**: Tokens from `keyway login` (device flow without `--token`) are stored encrypted locally and cannot be easily extracted for CI/CD use. Use the `--token` flag to authenticate with a PAT you can reuse.\n\n### Adding to GitHub Secrets\n\n1. Go to your repository Settings \u003e Secrets and variables \u003e Actions\n2. Click \"New repository secret\"\n3. Name: `KEYWAY_TOKEN`\n4. Value: Your Keyway token\n5. Click \"Add secret\"\n\n## Examples\n\n### Deploy to Vercel\n\n```yaml\nname: Deploy\n\non:\n  push:\n    branches: [main]\n\njobs:\n  deploy:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - uses: keywaysh/keyway-action@v1\n        with:\n          token: ${{ secrets.KEYWAY_TOKEN }}\n          environment: cicd\n\n      - uses: amondnet/vercel-action@v25\n        with:\n          vercel-token: ${{ env.VERCEL_TOKEN }}\n          vercel-org-id: ${{ env.VERCEL_ORG_ID }}\n          vercel-project-id: ${{ env.VERCEL_PROJECT_ID }}\n```\n\n### Docker Build with Secrets\n\n```yaml\nname: Build\n\non:\n  push:\n    branches: [main]\n\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - uses: keywaysh/keyway-action@v1\n        with:\n          token: ${{ secrets.KEYWAY_TOKEN }}\n          env-file: .env\n\n      - name: Build Docker image\n        run: docker build --secret id=env,src=.env -t myapp .\n```\n\n### Matrix Strategy\n\n```yaml\nname: Test\n\non: [push]\n\njobs:\n  test:\n    runs-on: ubuntu-latest\n    strategy:\n      matrix:\n        environment: [development, staging]\n    steps:\n      - uses: actions/checkout@v4\n\n      - uses: keywaysh/keyway-action@v1\n        with:\n          token: ${{ secrets.KEYWAY_TOKEN }}\n          environment: ${{ matrix.environment }}\n\n      - run: npm test\n```\n\n## Troubleshooting\n\n### \"Authentication failed\"\n\n- Verify your `KEYWAY_TOKEN` secret is set correctly\n- Check if the token has expired\n- Ensure the token has access to the repository\n\n### \"API key missing required scope\"\n\n- Your API key needs the `read:secrets` scope to pull secrets\n- Create a new API key with the correct scope in your [Keyway Dashboard](https://app.keyway.sh/api-keys)\n\n### \"Vault not found\"\n\n- Run `keyway init` locally to create the vault first\n- Verify the repository name matches your Keyway vault\n\n### \"Access denied\"\n\n- Check your Keyway plan limits\n- Verify you have access to the repository on GitHub\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeywaysh%2Fkeyway-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeywaysh%2Fkeyway-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeywaysh%2Fkeyway-action/lists"}