{"id":24563713,"url":"https://github.com/mildronize/actions-get-secret-sops","last_synced_at":"2025-07-30T16:34:02.066Z","repository":{"id":65160917,"uuid":"480253008","full_name":"mildronize/actions-get-secret-sops","owner":"mildronize","description":"Simple GitHub Action get secret with specific key from encrypted SOPS yaml file","archived":false,"fork":false,"pushed_at":"2023-06-01T07:50:03.000Z","size":137,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-07-18T12:46:26.465Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mildronize.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-04-11T06:24:49.000Z","updated_at":"2025-02-28T01:54:20.000Z","dependencies_parsed_at":"2025-04-20T14:46:51.735Z","dependency_job_id":null,"html_url":"https://github.com/mildronize/actions-get-secret-sops","commit_stats":{"total_commits":16,"total_committers":1,"mean_commits":16.0,"dds":0.0,"last_synced_commit":"262fce6846fe1ac6017161bfd0465b8ef80466bb"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/mildronize/actions-get-secret-sops","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mildronize%2Factions-get-secret-sops","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mildronize%2Factions-get-secret-sops/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mildronize%2Factions-get-secret-sops/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mildronize%2Factions-get-secret-sops/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mildronize","download_url":"https://codeload.github.com/mildronize/actions-get-secret-sops/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mildronize%2Factions-get-secret-sops/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267899153,"owners_count":24162991,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-30T02:00:09.044Z","response_time":70,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-01-23T10:15:22.225Z","updated_at":"2025-07-30T16:34:02.018Z","avatar_url":"https://github.com/mildronize.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# actions-get-secret-sops\nGitHub Action get secret with specific key from encrypted SOPS yaml file.\n\n## Build Status (GitHub Actions)\n\n| Encryption Method | Status |\n|-------------------|--------|\n| Age               | [![Test SOPS with Age](https://github.com/mildronize/actions-get-secret-sops/actions/workflows/test-sops-age.yaml/badge.svg)](https://github.com/mildronize/actions-get-secret-sops/actions/workflows/test-sops-age.yaml)   |\n| Azure Key Vault   | [![Test SOPS with Azure Key Vault](https://github.com/mildronize/actions-get-secret-sops/actions/workflows/test-sops-azure-key-vault.yaml/badge.svg)](https://github.com/mildronize/actions-get-secret-sops/actions/workflows/test-sops-azure-key-vault.yaml)  |\n\n## Features\n- Support Azure Key Vault, Age\n- Only support Linux Runner\n- Hide secret from SOPS yaml file when read it\n\n![](docs/screenshot.png)\n\n## Usage\n\n### Using Age\n\nSet the secrets name of Age Private Key:\n\n```yml\nsteps:\n  - uses: actions/checkout@v3\n  - uses: mildronize/actions-get-secret-sops@v1\n    id: sops\n    with:\n      path: \"examples/data.age-enc.yaml\"                     \n      property-path: \".scope_a.app_service.app1\"              \n      decrypting-key: ${{ secrets.Age_SOPS_github_action }}                 \n      sops-version: '3.7.2'\n  - run: echo \"${{ steps.sops.outputs.secret }}\"\n```\n\n### Using Azure Key Vault\n\nWhen you create Azure Credential with:\n\n```bash\naz ad sp create-for-rbac -n \"my-service-principal-name\" --role Contributor --scopes /subscriptions/xxxxxxx\n```\n\nit will generate json, the structure of secret:\n\n```json\n{\n  \"appId\": \"\u003csome-uuid\u003e\",\n  \"displayName\": \"my-service-principal-name\",\n  \"password\": \"\u003csome-uuid\u003e\",\n  \"tenant\": \"\u003ctenant-id\u003e\"\n}\n```\n\nSet the secrets name `Azure_Credential` or name what you want.\n\n```yaml\nsteps:\n  - uses: actions/checkout@v3\n  - uses: mildronize/actions-get-secret-sops/azure@v1\n    id: sops\n    with:\n      path: \"azure.enc.yaml\"                          # Encrypted SOPS yaml path\n      property-path: \".property\"                      # yq/jq expression syntax for getting a particular value\n      decrypting-key: ${{ secrets.Azure_Credential }} # A credential using to decrypt a Encrypted SOPS yaml file\n      sops-version: '3.7.2'\n\n  - run: echo \"${{ steps.sops.outputs.secret }}\"\n```\n\n## Hiding Secrets from Logs\n\nThis action uses GitHub Action's built-in masking, so all variables will automatically be masked (hidden) from log. However, if someone has the permission to edit your workflows, then they are able to read and therefore write secrets to somewhere else just like normal GitHub Secrets, it means the secrets can be exposed.\n\n# SOPS 101\n\nCheckout the main repo for full documentation: https://github.com/mozilla/sops\n\n## Encrypt using Age\n\nInstall age\n\n```\nbrew install age\n```\n\nGenerate Age Key\n\n```\nage-keygen -o key.txt\n```\n\nThe contain in file `key.txt` :\n\n```\n# created: 2022-04-11T15:36:32+07:00\n# public key: age1js5yl37ghup68pzf8f2kutf6xtuwc4m6lpha0llgmcup93q3sp9qtfwvr8\nAGE-SECRET-KEY-15YXVYTPWNT4UF3KY05K27LZN2SAT83SJKX7UH4MXQEQAWRWPFNYSDHK860\n```\n\n**DO NOT PUBLISH AGE SECRET KEY** (This is for example in this repo only)\n\n```\nsops --encrypt --age age1js5yl37ghup68pzf8f2kutf6xtuwc4m6lpha0llgmcup93q3sp9qtfwvr8 examples/data.yaml \u003e examples/data.age-enc.yaml\n```\n\nSet GitHub Action Secret with Age Secret key\n\n## Encrypt with Azure Key Vault\n\n```bash\naz ad sp create-for-rbac -n \"sp_sops_github_action\" --role Contributor --scopes /subscriptions/[Subscription ID]/resourceGroups/[resource_Group_name]/providers/Microsoft.KeyVault/vaults/[vault_name]\n\n{\n  \"appId\": \"\u003csome-uuid\u003e\",\n  \"displayName\": \"my-keyvault-sp\",\n  \"name\": \"http://my-keyvault-sp\",\n  \"password\": \"\u003csome-uuid\u003e\",\n  \"tenant\": \"\u003ctenant-id\u003e\"\n}\n\nexport AZURE_CLIENT_ID=\"appId\"\nexport AZURE_TENANT_ID=\"tenant\"\nexport AZURE_CLIENT_SECRET=\"password\"\n```\n\n```bash\naz account set --subscription \"XXXX\"\naz group create --name rg-common --location \"Central US\"\n# Create a Vault, a key, and give the service principal access:\naz keyvault create --name \"kv-github-action\" --resource-group rg-common --location \"Central US\"\n\naz keyvault key create --name \"sops-key\" --vault-name \"kv-github-action\" --protection software --ops encrypt decrypt\n\naz keyvault set-policy --name \"kv-github-action\" --resource-group \"rg-common\" --spn $AZURE_CLIENT_ID \\\n        --key-permissions encrypt decrypt\n\n# Read the key id:\naz keyvault key show --name \"sops-key\" --vault-name \"kv-github-action\" --query key.kid\n\nhttps://sops.vault.azure.net/keys/sops-key/some-string\n\n# Encrypt\nsops --encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/some-string test.yaml \u003e test.enc.yaml\n# Decrypt\nsops --decrypt test.enc.yaml\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmildronize%2Factions-get-secret-sops","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmildronize%2Factions-get-secret-sops","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmildronize%2Factions-get-secret-sops/lists"}