mirror of https://github.com/Infisical/secrets-action.git synced 2026-06-20 10:41:24 -07:00

Inject Infisical secrets into your Github workflows https://infisical.com

TypeScript 94.1%
JavaScript 5.9%

Find a file

Adilson Junior 77ab1f4ccd Merge pull request #35 from Infisical/chore/adilsitos/secrets-165 chore(version): update node version		2026-04-24 22:14:49 -03:00
.github/workflows	update node version	2026-04-24 21:33:22 -03:00
dist	test action	2025-09-26 01:41:50 +04:00
src	testing	2025-09-26 01:57:07 +04:00
.gitignore	test action	2025-09-26 01:41:50 +04:00
.nvmrc	update node version	2026-04-24 21:33:22 -03:00
.prettierignore	convert to typescript	2025-09-26 01:41:08 +04:00
action.yaml	update node version	2026-04-24 21:33:22 -03:00
LICENSE	Update LICENSE	2024-05-06 18:48:49 +08:00
package-lock.json	convert to typescript	2025-09-26 01:41:08 +04:00
package.json	convert to typescript	2025-09-26 01:41:08 +04:00
README.md	Update README.md	2025-09-26 00:34:59 +05:30
rollup.config.js	convert to typescript	2025-09-26 01:41:08 +04:00
tsconfig.json	convert to typescript	2025-09-26 01:41:08 +04:00

README.md

Infisical Secrets Action

This GitHub Action enables you to import secrets from Infisical—whether hosted in the cloud or self-hosted—directly into your GitHub workflows.

Configuration

In order to use this, you will need to configure a Machine Identity for your project.
This action supports three ways to authenticate your workflows with Infisical - AWS IAM Auth, OIDC and universal auth.

AWS IAM Auth

Configure a machine identity to use the "AWS Auth" method. Set the allowed principal ARNs, account IDs, and other settings as needed for your setup. Refer to the setup guide here.
Get the machine identity's ID.
Set method to aws-iam and configure the identity-id input parameter.
Your GitHub Action runner must have access to AWS credentials (either through IAM roles, environment variables, or other AWS credential providers).
Ensure your runner has network access to AWS STS API endpoints.

- uses: Infisical/secrets-action@v1.0.9
  with:
    method: "aws-iam"
    identity-id: "24be0d94-b43a-41c4-812c-1e8654d9ce1e"
    domain: "https://app.infisical.com" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance
    env-slug: "dev"
    project-slug: "cli-integration-tests-9-edj"

OIDC Auth

Configure a machine identity to use the "OIDC Auth" method. Set the bound audience, bound subject, and bound claims as needed for your setup. Refer to the setup guide here.
Get the machine identity's ID.
Set method to oidc and configure the identity-id input parameter. Optionally, customize the JWT's aud field by setting the oidc-audience input parameter.
For debugging OIDC configuration issues, you can use GitHub's actions-oidc-debugger tool. This tool helps you inspect the JWT claims and verify they match your configuration.
Add id-token: write to the permissions for your workflow:

permissions:
  id-token: write
  contents: read

Universal Auth

Configure a machine identity to have an auth method of "Universal Auth".
Get the machine identity's client_id and client_secret and store them as Github secrets (recommended) or environment variables.
Set the client-id and client-secret input parameters.

Usage

With this action, you can use your Infisical secrets in two ways: as environment variables or as a file.

As environment variables

Secrets are injected as environment variables and can be referenced by subsequent workflow steps.

- uses: Infisical/secrets-action@v1.0.9
  with:
    method: "oidc"
    identity-id: "24be0d94-b43a-41c4-812c-1e8654d9ce1e"
    domain: "https://app.infisical.com" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance
    env-slug: "dev"
    project-slug: "cli-integration-tests-9-edj"

As a file

Exports secrets to a file in your GITHUB_WORKSPACE, useful for applications that read from .env files.

- uses: Infisical/secrets-action@v1.0.9
  with:
    method: "oidc"
    identity-id: "24be0d94-b43a-41c4-812c-1e8654d9ce1e"
    domain: "https://app.infisical.com" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance
    env-slug: "dev"
    project-slug: "cli-integration-tests-9-edj"
    export-type: "file"
    file-output-path: "/src/.env" # defaults to "/.env"

Note: Make sure to configure an actions/checkout step before using this action in file export mode

steps:
  - name: Checkout code
    uses: actions/checkout@v4

Inputs

`method`

Optional. The authentication method to use. Defaults to universal. Possible values are universal, oidc, and aws-iam

`client-id`

Optional. Machine Identity client ID

`client-secret`

Optional. Machine Identity secret key

`identity-id`

Optional. Machine Identity ID

`oidc-audience`

Optional. Custom aud claim for the signed Github ID token

`project-slug`

Required. Source project slug

`env-slug`

Required. Source environment slug

`domain`

Optional. Infisical URL. Defaults to https://app.infisical.com. If you're using Infisical EU (https://eu.infisical.com) or a self-hosted/dedicated instance, you will need to set the appropriate value for this field.

`export-type`

Optional. If set to env, it will set the fetched secrets as environment variables for subsequent steps of a workflow. If set to file, it will export the secrets in a .env file in the defined file-output-path. Defaults to env

`file-output-path`

Optional. The path to save the file when export-type is set to file. Defaults to /.env

`secret-path`

Optional. Source secret path. Defaults to /. Example: /my-secret-path.

`include-imports`

Optional. If set to true, it will include imported secrets. Defaults to true

`recursive`

Optional. If set to true, it will fetch all secrets from the specified base path and all of its subdirectories. Defaults to false

`extra-headers`

Optional. You can optionally provide extra headers that will be included in every request made to Infisical. This is useful if your Infisical instance is behind a header-based firewall.

Example:

extra-headers: |
    Example-Header: Header-Value
    X-Request-Id: 1234567890
    X-Authentication-Secret: ${{ secrets.AUTH_SECRET }}

Using Infisical Secrets Action with Internal CA Certificate

When your Infisical instance uses an internal Certificate Authority (CA) that isn't trusted by default in GitHub Actions runners, you'll need to configure the action to recognize your custom CA certificate.

Setup

1. Add your CA certificate to your repository

Save your CA certificate file (e.g., ca-certificate.pem) in your repository root or .github/ directory
Ensure the certificate is in PEM format

2. Configure the GitHub Actions workflow to use it

jobs:
  your-job-name:
    runs-on: ubuntu-latest
    env:
      NODE_EXTRA_CA_CERTS: ./ca-certificate.pem # Path to your CA certificate
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        
      - name: Setup Infisical Secrets
        uses: Infisical/secrets-action@v1.0.12
        with:
          method: "universal"
          domain: "https://<infisical instance url>"  # Your internal Infisical domain
          # rest of the parameters