GitHub Actions

reading time 5 mins

Learn how to set up the Doppler integration for GitHub to enable automatic secrets syncing for GitHub Actions.

πŸ“˜

Dependabot secrets sync is not supported

Check out the Dependabot Secrets section for more details.

Prerequisites

  • You have created a project in Doppler
  • You have a GitHub account with repository permissions for configuring GitHub Secrets and Actions

GitHub Environment

As GitHub doesn't fit into either Development, Staging, or Production, we'll create a dedicated GitHub environment.

Head to the Project page and click Options > Create Environment, then name it GitHub and optionally change the order to have it placed after Development.

Authorization

The next step is authorizing the Doppler GitHub Application to provide access for syncing secrets from Doppler to a chosen repository.

To authorize, click Integrations from the Projects menu, then select GitHub:

Choose the GitHub account or organization to authorize:

Select which repositories Doppler will have secrets access to:

You'll then be redirected back to Doppler select the config and which repository to sync secrets to:

Click Set Up Integration, and once complete, Doppler will have synced all secrets in the chosen config, as well as creating three DOPPLER specific secrets:

Now every time you add, update or remove a secret in Doppler, that change will be instantly reflected in the GitHub secrets for the chosen repository.

πŸ“˜

Doppler cannot import existing secrets or sync changes to secrets made in GitHub as the secret values are hidden. All secret changes should be made in Doppler to avoid possible confusion.

Multiple Environments

Currently, our GitHub integration supports one config per repository but we are investigating supporting multiple configs once GitHub Environments becomes generally available.

Dependabot Secrets

Syncing secrets for Dependabot is not possible as Dependabot secrets are stored separately and no API exists to manage them.

We recommend adding a branch-ignore rule for actions that require access to repository scoped secrets set by Doppler as an action triggered by the creation of a pull request by Dependabot can only access Dependabot scoped secrets.

One workaround is to be able to trigger the required action(s) manually or a nicer (but a more involved solution) could be to use a GitHub Application to trigger actions from Dependabot pull requests as they will be executed with the permissions assigned to the application, thereby working around the Dependabot user restriction.

πŸ‘

Amazing Work!

The Doppler GitHub integration will now instantly sync your secret changes to GitHub.


Did this page help you?