This GitHub Action enables you to import secrets from Infisical—whether hosted in the cloud or self-hosted—directly into your GitHub workflows.
- In order to use this, you will need to configure a Machine Identity for your project.
- Extract the machine identity's
client_id
andclient_secret
and store them as Github secrets (recommended) or environment variables.
With this action, you can use your Infisical secrets in two ways: as environment variables or as a file.
Secrets are injected as environment variables and can be referenced by subsequent workflow steps.
- uses: Infisical/[email protected]
with:
client-id: ${{ secrets.MACHINE_IDENTITY_CLIENT_ID }} # Update this to your own Github references
client-secret: ${{ secrets.MACHINE_IDENTITY_CLIENT_SECRET }} # Update this to your own Github references
env-slug: "dev"
project-slug: "example-project-r-i3x"
Exports secrets to a file in your GITHUB_WORKSPACE
, useful for applications that read from .env
files.
- uses: Infisical/[email protected]
with:
client-id: ${{ secrets.MACHINE_IDENTITY_CLIENT_ID }} # Update this to your own Github references
client-secret: ${{ secrets.MACHINE_IDENTITY_CLIENT_SECRET }} # Update this to your own Github references
env-slug: "dev"
project-slug: "example-project-r-i3x"
export-type: "file"
file-output-path: "/src/.env" # defaults to "/.env"
Note: Make sure to configure an actions/checkout
step before using this action in file export mode
steps:
- name: Checkout code
uses: actions/checkout@v4
Required. Machine Identity client ID
Required. Machine Identity secret key
Required. Source project slug
Required. Source environment slug
Optional. Infisical URL. Defaults to https://app.infisical.com
Optional. If set to env
, it will set the fetched secrets as environment variables for subsequent steps of a workflow. If set to file
, it will export the secrets in a .env file in the defined file-output-path. Defaults to env
Optional. The path to save the file when export-type is set to file
. Defaults to /.env
Optional. Source secret path. Defaults to /
Optional. If set to true
, it will include imported secrets. Defaults to true
Optional. If set to true
, it will fetch all secrets from the specified base path and all of its subdirectories. Defaults to false