{"id":17866206,"url":"https://github.com/xt0rted/secrets-sync","last_synced_at":"2025-07-15T01:11:15.580Z","repository":{"id":36982138,"uuid":"451594898","full_name":"xt0rted/secrets-sync","owner":"xt0rted","description":"A GitHub Action to sync secrets across multiple repositories","archived":false,"fork":false,"pushed_at":"2025-06-02T01:20:42.000Z","size":3171,"stargazers_count":11,"open_issues_count":14,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-07-02T11:18:30.403Z","etag":null,"topics":["dependabot","github-action","github-actions","secrets","secrets-management","secrets-manager","workflows"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/xt0rted.png","metadata":{"funding":{"github":"xt0rted","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null},"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-01-24T18:59:24.000Z","updated_at":"2025-04-21T02:11:26.000Z","dependencies_parsed_at":"2024-04-15T02:31:17.243Z","dependency_job_id":"5f11c070-7e4c-4a2d-be73-397a491edf25","html_url":"https://github.com/xt0rted/secrets-sync","commit_stats":{"total_commits":380,"total_committers":2,"mean_commits":190.0,"dds":0.1394736842105263,"last_synced_commit":"1e883eb6905f7f16b8a17ff18c1064cf06abccac"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/xt0rted/secrets-sync","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xt0rted%2Fsecrets-sync","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xt0rted%2Fsecrets-sync/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xt0rted%2Fsecrets-sync/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xt0rted%2Fsecrets-sync/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/xt0rted","download_url":"https://codeload.github.com/xt0rted/secrets-sync/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/xt0rted%2Fsecrets-sync/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265383990,"owners_count":23756630,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependabot","github-action","github-actions","secrets","secrets-management","secrets-manager","workflows"],"created_at":"2024-10-28T09:29:04.090Z","updated_at":"2025-07-15T01:11:15.535Z","avatar_url":"https://github.com/xt0rted.png","language":"TypeScript","funding_links":["https://github.com/sponsors/xt0rted"],"categories":[],"sub_categories":[],"readme":"# secrets-sync\n\n[![CI](https://github.com/xt0rted/secrets-sync/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/xt0rted/secrets-sync/actions/workflows/ci.yml)\n[![CodeQL](https://github.com/xt0rted/secrets-sync/actions/workflows/codeql-analysis.yml/badge.svg?branch=main)](https://github.com/xt0rted/secrets-sync/actions/workflows/codeql-analysis.yml)\n\nA GitHub Action to sync secrets across multiple repositories.\n\nSince this is a security centric action the dependencies used are all first party libraries, or ones that GitHub themselves use in their own actions.\n\nCurently only [GitHub Actions](https://docs.github.com/en/actions/security-guides/encrypted-secrets) and [Dependabot](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-encrypted-secrets-for-dependabot) secrets are supported.\n[CodeSpaces](https://docs.github.com/en/codespaces/managing-your-codespaces/managing-encrypted-secrets-for-your-codespaces) supports secrets but there isn't an API to manage them right now.\n[Environment secrets](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets) have an API but aren't supported at the moment.\nIf there's demand for this then support can be added.\n\nGet started quickly by forking [xt0rted/secrets-sync-template](https://github.com/xt0rted/secrets-sync-template).\n\n## Usage\n\nAnything can be used to trigger a workflow, but manually triggering is probably the best option.\nYou won't be able to use the provided [`GITHUB_TOKEN`](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) since it won't have access to your other repositories.\nBecause of this a [Personal Access Token](https://github.com/settings/tokens/new?scopes=repo) with the `repo` scope or a [GitHub App Token](https://docs.github.com/en/developers/apps) with the appropriate access will need to be used.\n\nBy default the config file is named `secrets-sync.yml` and will be loaded from the root of the repository.\n\n### Example workflow\n\n```yaml\non:\n  workflow_dispatch:\n    inputs:\n      filter_repos:\n        description: \"Comma separated list of repos that should be processed\"\n        required: false\n\n      filter_secrets:\n        description: \"Comma separated list of secrets that should be processed\"\n        required: false\n\njobs:\n  sync:\n    runs-on: ubuntu-latest\n\n    steps:\n      - name: Check out repo\n        uses: actions/checkout@v2\n\n      - name: Sync secrets\n        uses: xt0rted/secrets-sync@v1\n        with:\n          repo_token: ${{ secrets.SECRET_SYNC_TOKEN }}\n          filter_repos: ${{ github.event.inputs.filter_repos }}\n          filter_secrets: ${{ github.event.inputs.filter_secrets }}\n        env:\n          APP_ID: ${{ secrets.APP_ID }}\n          PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}\n```\n\n### Example config\n\n```yaml\n# yaml-language-server: $schema=https://raw.githubusercontent.com/xt0rted/secrets-sync/main/settings.schema.json\ndefaults:\n  actions: true\n  dependabot: true\n\nsecrets:\n  - name: APP_ID\n    value: env/APP_ID\n    repos:\n      - test-user/test-repo-1\n      - test-user/test-repo-2\n\n  - name: PRIVATE_KEY\n    value: env/PRIVATE_KEY\n    repos:\n      - test-user/test-repo-1\n      - test-user/test-repo-2\n```\n\n## Options\n\nName | Required | Description\n-- | :--: | --\n`repo_token` | ✅ | `repo` scoped Personal Access Token or GitHub App Token.\n`config` | ✅ | Path of the config file to use.\n`filter_repos` | ❌ | Comma separated list of repos that should be processed. Any not in the list will be skipped.\n`filter_secrets` | ❌ | Comma separated list of secrets that should be processed. Any not in the list will be skipped.\n\n## Config format\n\n```yaml\n# yaml-language-server: $schema=https://raw.githubusercontent.com/xt0rted/secrets-sync/main/settings.schema.json\ndefaults:\n  actions: true\n  dependabot: false\n\nsecrets:\n  - name: APP_ID\n    value: abc123\n    actions: false\n    dependabot: true\n    repos:\n      - test-user/test-repo\n\n  - name: PRIVATE_KEY\n    value: env/PRIVATE_KEY\n    repos:\n      - test-user/test-repo\n```\n\n\u003eℹ️ A schema file [is available](settings.schema.json) to verify your config format.\n\n### Defaults\n\n```yaml\ndefaults:\n  actions: true\n  dependabot: true\n```\n\nThis section lets you set the default environments that secrets are added to.\nThese are opt-in so if you don't set them here you'll need to set them on each individual secret.\n\n### Secrets\n\n```yaml\n- name: APP_ID # Name of the secret in the destination repository\n  value: env/APP_ID # Value to use for the secret\n  actions: true # Optional\n  dependabot: true # Optional\n  repos: # List of repositories the secret should be added to\n    - test-user/test-repo-1\n    - test-user/test-repo-2\n```\n\nThe value of a secret can be static or dynamic.\nA static secret will use the value in the file as-is, while a dynamic secret will be loaded from an environment variable.\n\nTo use dynamic secrets prefix any environment variable name with `env/`.\nFor example, if the environment variable name is `APP_ID` the config value would be `env/APP_ID`.\nThen add an environment variable to the step in your workflow with that name.\n\nIf a secret's value is left blank it's treated as an empty string, but if it's excluded from the file then it will be deleted from the repository.\nThis is useful if you're going to rename a secret or no longer need it.\n\n```yaml\n# Removes the APP_ID secret from the test-user/test-repo-1 repo\n- name: APP_ID\n  repos:\n    - test-user/test-repo-1\n```\n\nEnvironments can be enabled or disabled on a per secret basis.\nThis way if you've set `actions: true` as the default but don't want a secret to be set for actions you can add `actions: false` to it and it'll be skipped.\n\n## License\n\nThe scripts and documentation in this project are released under the [MIT License](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxt0rted%2Fsecrets-sync","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxt0rted%2Fsecrets-sync","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxt0rted%2Fsecrets-sync/lists"}