{"id":25242649,"url":"https://github.com/zgosalvez/github-actions-decrypt-secrets","last_synced_at":"2026-03-15T18:24:19.125Z","repository":{"id":40707628,"uuid":"319530432","full_name":"zgosalvez/github-actions-decrypt-secrets","owner":"zgosalvez","description":"A GitHub Action to decrypt secrets from a JSON file using gpg","archived":false,"fork":false,"pushed_at":"2025-02-09T06:57:08.000Z","size":1909,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-10T18:51:22.807Z","etag":null,"topics":["actions","github","github-actions","gpg","secrets"],"latest_commit_sha":null,"homepage":"https://github.com/marketplace/actions/decrypt-secrets","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zgosalvez.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"zgosalvez"}},"created_at":"2020-12-08T04:57:08.000Z","updated_at":"2025-02-09T06:56:37.000Z","dependencies_parsed_at":"2023-12-03T04:18:50.763Z","dependency_job_id":"ad5bb4c8-d87c-4142-ac38-37a67605f725","html_url":"https://github.com/zgosalvez/github-actions-decrypt-secrets","commit_stats":{"total_commits":50,"total_committers":2,"mean_commits":25.0,"dds":"0.31999999999999995","last_synced_commit":"b67b6ed251d8fda80532a739630756f29dacec54"},"previous_names":[],"tags_count":47,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zgosalvez%2Fgithub-actions-decrypt-secrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zgosalvez%2Fgithub-actions-decrypt-secrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zgosalvez%2Fgithub-actions-decrypt-secrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zgosalvez%2Fgithub-actions-decrypt-secrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zgosalvez","download_url":"https://codeload.github.com/zgosalvez/github-actions-decrypt-secrets/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238383633,"owners_count":19462855,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","github","github-actions","gpg","secrets"],"created_at":"2025-02-11T23:24:18.093Z","updated_at":"2025-10-26T18:31:20.718Z","avatar_url":"https://github.com/zgosalvez.png","language":"JavaScript","readme":"# GitHub Action — Decrypt Secrets\n\nThis GitHub Action (written in JavaScript) allows you to leverage GitHub Actions to decrypt secrets from a JSON file using `gpg`. For more information, see the \"[gpg manpage](https://www.gnupg.org/gph/de/manual/r1023.html).\" Common workflows are:\n\n* [A central secrets repository](#a-central-secrets-repository)\n* [Environment based secrets](#environment-based-secrets)\n\n*Note:* This currently does not support a JSON file that is more than one level deep.\n\n## Usage\n### Pre-requisites\nCreate a workflow `.yml` file in your `.github/workflows` directory. [Example workflows](#common-workflows) are available below. For more information, reference the GitHub Help Documentation for [Creating a workflow file](https://help.github.com/en/articles/configuring-a-workflow#creating-a-workflow-file).\n\n### Inputs\nAll of these inputs are required. For more information on these inputs, see the [Workflow syntax for GitHub Actions](https://docs.github.com/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepswith)\n\n- `secrets_file`: The `gpg` file. For example, `.github/workflows/secrets.json.gpg`\n- `map`: Describes the map between the environment variables and secret keys. For example, `SECRET_PASSWORD=PASSWORD,PASSPHRASE=passphrase`\n\nAdditionally, you must set the `GPG_PASSPHRASE` environment variable to decrypt the JSON file.\n\n### Outputs\nNone. The secrets are exported as environment variables through the `map` input. For more information, see the [Environment variables](https://docs.github.com/actions/reference/environment-variables) documentation\n\n### Common workflows\n\nOn any workflow you will need to do the following:\n\n1. Store your secrets in a JSON file. *Warning:* Do not commit this in your repository.\n2. Encrypt your JSON file to `gpg` using a long alphanumeric passphrase. For example:\n```shell\ngpg --symmetric --cipher-algo AES256 secrets.json \n```\n3. Place and commit the generated `gpg` file (e.g., `secrets.json.gpg`) in your repository. The recommended location is `.github/workflows/secrets.json.gpg` or `.github/workflows/secrets/beta.json.gpg`.\n\n#### A central secrets repository\nInstead of manually setting all of your secrets in GitHub's settings, you can simply store the passphrase you used when encrypting the JSON file using `gpg`. For example:\n```json\n{\n \"PASSWORD\": \"cSHS4mE\u0026vDRJqKaPO\u0026Fi{g@JCyv3|#Y\u003e\u003c\u003eMp{8KP2m\u003c#H0DL*F\",\n \"passphrase\": \"7heGrecgc\u003c7oYLURMR%y6y#)fEl2zWF%j%PiL$E5s$za4PtxlC\",\n}\n```\n```yaml\non: push\n\nname: Continuous Integration\n\njobs:\n build:\n name: Example\n runs-on: ubuntu-latest\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n - name: Decrypt secrets\n uses: zgosalvez/github-actions-decrypt-secrets@v3\n with:\n secrets_file: .github/workflows/secrets.json.gpg\n map: 'SECRET_PASSWORD=PASSWORD,PASSPHRASE=passphrase'\n env:\n GPG_PASSPHRASE: ${{ secrets.SECRETS_PASSPHRASE }}\n - name: Test (Do not expose your actual secrets!)\n run: |\n echo $SECRET_PASSWORD\n echo $PASSPHRASE\n```\n\n#### Environment-based secrets\nAnother common scenario is when you need the same environment variable with a different value that depends on the environment. For example, you may have two JSON files: beta and production.\n```yaml\non:\n push:\n - beta\n - production\n\nname: Continuous Deployment\n\njobs:\n build:\n name: Example\n runs-on: ubuntu-latest\n steps:\n - name: Checkout code\n uses: actions/checkout@v2\n - name: Determine environment\n id: determine_environment\n run: echo \"::set-output name=environment::${GITHUB_REF#refs/heads/}\"\n - name: Decrypt ${{ steps.determine_environment.outputs.environment }} secrets\n uses: zgosalvez/github-actions-decrypt-secrets@v3\n with:\n secrets_file: .github/workflows/secrets/${{ steps.determine_environment.outputs.environment }}.json.gpg\n map: 'SECRET_PASSWORD=PASSWORD,PASSPHRASE=passphrase'\n env:\n GPG_PASSPHRASE: ${{ secrets.SECRETS_PASSPHRASE }}\n - name: Test (Do not expose your actual secrets!)\n run: |\n echo $SECRET_PASSWORD\n echo $PASSPHRASE\n```\n\n## License\nThe scripts and documentation in this project are released under the [MIT License](LICENSE.md)\n","funding_links":["https://github.com/sponsors/zgosalvez"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzgosalvez%2Fgithub-actions-decrypt-secrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzgosalvez%2Fgithub-actions-decrypt-secrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzgosalvez%2Fgithub-actions-decrypt-secrets/lists"}