Integrations

GitHub Actions Integration

Pull secrets from secr and inject them as masked environment variables in your GitHub Actions workflows. Zero npm dependencies, runs on Node 20+.

Quick Start

Add the secr action to any workflow to inject secrets as environment variables. Values are automatically masked in logs.

.github/workflows/deploy.yml

name: Deploy
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Inject secrets from secr
        uses: secr-dev/secr@v1
        with:
          token: ${{ secrets.SECR_TOKEN }}
          org: my-org
          project: my-project
          environment: production

      # All secrets are now available as env vars
      - name: Deploy
        run: |
          echo "Deploying with ${{ env.DATABASE_URL }}"
          npm run deploy

Setup

1. Create a CLI token

Generate a scoped token for CI/CD usage. Give it a descriptive name so you can identify it later.

secr token create --name "github-actions-prod"

2. Store the token in GitHub Secrets

Navigate to your repository on GitHub, then go to Settings → Secrets and variables → Actions. Create a new repository secret named SECR_TOKEN and paste your token value.

3. Add the action to your workflow

Reference the action in your workflow file and pass the required inputs. The action pulls secrets from the secr API and writes them to $GITHUB_ENV, making them available to all subsequent steps.

Inputs

Option	Type	Required	Description
token	string	Yes	secr CLI token (secr_tok_...). Store as a GitHub secret.
org	string	Yes	Organization slug in secr.
project	string	Yes	Project slug in secr.
environment	string	Yes	Environment slug (e.g. production, staging, development).
api-url	string	https://api.secr.dev	secr API base URL.

Multi-Environment Example

Use separate jobs for staging and production deployments, each pulling from the appropriate secr environment.

.github/workflows/deploy.yml

name: Deploy
on:
  push:
    branches: [main, staging]

jobs:
  deploy-staging:
    if: github.ref == 'refs/heads/staging'
    runs-on: ubuntu-latest
    environment: staging
    steps:
      - uses: actions/checkout@v4

      - name: Inject staging secrets
        uses: secr-dev/secr@v1
        with:
          token: ${{ secrets.SECR_TOKEN }}
          org: my-org
          project: my-project
          environment: staging

      - run: npm ci && npm run deploy

  deploy-production:
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    environment: production
    steps:
      - uses: actions/checkout@v4

      - name: Inject production secrets
        uses: secr-dev/secr@v1
        with:
          token: ${{ secrets.SECR_TOKEN }}
          org: my-org
          project: my-project
          environment: production

      - run: npm ci && npm run deploy

Security Notes

•Token scoping — Create a dedicated token for CI/CD with the minimum permissions needed. Avoid reusing personal tokens.
•Value masking — All secret values are automatically masked in workflow logs using ::add-mask::. This prevents accidental exposure in build output.
•Multiline values — Secrets containing newlines (e.g. private keys, certificates) are handled using heredoc delimiters when writing to $GITHUB_ENV.
•Least privilege — Store the SECR_TOKEN as a repository or environment secret, not an organization secret, unless multiple repos need the same token.
•GitHub Environments — Combine with GitHub Environments to require approvals before production deployments. Secrets stored in an environment are only exposed to jobs that reference that environment.

Troubleshooting

Error	Cause	Fix
Missing required environment variables: SECR_TOKEN	The token input was not passed or the GitHub secret is empty.	Ensure SECR_TOKEN is set in Settings > Secrets and referenced with ${{ secrets.SECR_TOKEN }}.
HTTP 401 — Unauthorized	The token is invalid, expired, or revoked.	Generate a new token with secr token create and update the GitHub secret.
HTTP 404 — Project not found	The org, project, or environment slug is incorrect.	Verify slugs with secr projects list and check for typos in your workflow.
Failed to connect to secr API	Network issue or the API URL is wrong.	Verify your network allows outbound HTTPS to api.secr.dev from GitHub runners.

Automate secret injection in CI/CD

uses: secr-dev/secr@v1

Create Free Account Back to Docs