SecretHub is a secrets management tool that works for every engineer. Securely provision passwords and keys throughout your entire stack with just a few lines of code.

No more copy-pasting sensitive values into a GUI. Securely load secrets into GitHub Actions and sync them automatically using SecretHub.

This Action is officially supported and actively maintained by SecretHub, but community contributions are very welcome.

The env-export action reads all referenced secrets from environment variables prefixed by secrethub:// and secrets specified in the secrethub.env template file, and makes the secret values available as environment variables to the rest of the job.

It leverages GitHub's output masking feature, so if secret values are (accidentally) logged, they get replaced with *****.

on: push
jobs:
  notify-slack:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: secrethub/actions/[email protected]
        env:
          SECRETHUB_CREDENTIAL: ${{ secrets.SECRETHUB_CREDENTIAL }}
          SLACK_WEBHOOK: secrethub://company/app/slack/webhook
      - name: Print environment with masked secrets
        run: printenv
      - name: Notify Slack
        # This action expects SLACK_WEBHOOK to be set, which is now done automatically
        uses: Ilshidur/[email protected]
        with:
          args: Sent from GitHub Actions with secrets from SecretHub 🔑

The example above passes the SECRETHUB_CREDENTIAL environment variable. This credential is used to authenticate to SecretHub and decrypt your secrets.

You can obtain a credential by creating a service account. Service accounts are completely separate accounts from your personal account, which means you can manage their access separately and you can identify them in the audit log.

After you've obtained a credential for SecretHub, you store it in a GitHub secret, so that it can be fetched in your action as shown above.