How to get github decrypted secrets out of the context of a github action?

872 Views Asked by At

So we currently are storing a lot of our secrets in Github, yet are trying to move to another CI/CD tool.

Still, we think they do their work correctly and we are trying to access the decrypted values from scripts that are running in multiple different languages.

We assumed there must be some Github Rest API to access these values, but it seems the only way is using the Github workflow syntax. Is there any other way?

1

There are 1 best solutions below

0
On

There isn't a REST API to bulk export secrets from GitHub Actions, but you have a few options for exporting them yourself.

One option to export secrets by accessing the secret values normally and then echoing them to a file using indirection. You could do this via bash commands directly in the workflow, via a shell script, etc. You could then save this file as an artifact, so that you can download it to your local machine.

Another option is to have your shell script directly talk to your new secrets service to create the secrets there. For example, you can use the AWS CLI to add to Secrets Manager or Parameter Store.

One note: I would be skeptical of using any third party actions to export or migrate secrets given the potential sensitivity of the values involved.

Related question: How can I extract secrets using GitHub Actions?