Documentation

We are here to help you get from zero to one fast.

Get Started    Discussions

GitHub Actions

reading time 5 mins

This guide will show you how to enable the Doppler integration for GitHub to make secrets management easy for GitHub Actions.

Prerequisites

  • You have created a project in Doppler
  • You have a GitHub account with repository permissions for configuring GitHub Secrets and Actions

Authorizing the GitHub Integration

The Doppler integration for GitHub enables a repository to be given access to the secrets for a specific config.

The first step is to authorize the Doppler integration by clicking on Integrations from the Projects menu, then selecting GitHub Actions.

Next, choose the GitHub account or organization to authorize.

Now select which repositories you want Doppler to supply secrets for.

Finally, you'll be redirected back to Doppler, where you'll choose the Doppler config the repository will have access to.

Click Setup Integration, and once complete, Doppler will have added a new GitHub Secret DOPLER_TOKEN for the selected repository, enabling secrets access for the selected config.

Accessing Doppler Secrets from a GitHub Action

Now, let's create a sample GitHub Action to show you how to access Doppler secrets.

First, we need to install the Doppler CLI through our official action.

Then we use doppler run to fetch the config secrets using the DOPPLER_TOKEN GitHub Secret, automatically created by our integration.

name: Sample Doppler Secrets Access
on: [push]

jobs:
    main:
        runs-on: ubuntu-latest # ubuntu, macos, and windows are supported
        steps:
            - name: Install Doppler CLI
              uses: dopplerhq/[email protected]

            - name: Test Doppler Access
              run: doppler run -- printenv | grep SECRET_NAME
              env:
                  DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}

Performing a manual run of the GitHub Action shows it was able to succesfully retrieve secrets from Doppler.

Usage tip: Passing Doppler Secrets to Next Steps

A common use case is to fetch secrets from Doppler that will be used by the steps that follow in your GitHub Action. You can choose to pass either all secrets or a single secret.

To pass all secrets to the steps that follow (will fail if any secrets are multiline):

- name: Pass all secrets to next steps
  run: doppler secrets download --no-file --format=env >> $GITHUB_ENV; 
  env:
    DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}

- name: Print variable from Doppler 
  run: echo "$YOUR_SECRET_IN_DOPPLER"

To pass a single line secret to the steps that follow:

- name: Pass single line secret to next steps
  run: echo "YOUR_SECRET_IN_DOPPLER=$(doppler secrets get YOUR_SECRET_IN_DOPPLER --plain)" >> $GITHUB_ENV;
  env:
    DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}

- name: Print variable from Doppler 
  run: echo "$YOUR_SECRET_IN_DOPPLER"

To pass a multiline line secret to the steps that follow:

- name: Pass mulitline secret to next steps
  run: |
    echo 'YOUR_SECRET_IN_DOPPLER<<EOF' >> $GITHUB_ENV
    doppler secrets get YOUR_SECRET_IN_DOPPLER --plain >> $GITHUB_ENV
    echo 'EOF' >> $GITHUB_ENV
  env:
    DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}

- name: Print variable from Doppler 
  run: echo "$YOUR_SECRET_IN_DOPPLER"

Multiple Configs with Service Tokens

Currently, our GitHub integration supports one config only, as it creates a single DOPPLER_TOKEN GitHub Secret.
If your GitHub Actions need multiple configs, e.g. build and deploy for staging and production, the solution is to create a Doppler Service Token for each config.

The environment-specific service token can then be exposed as the DOPPLER_TOKEN environment variable for the relevant step.

name: Multi-environment build and deploy with Doppler

on:
  push:
    branches:
      - master
      - staging

jobs:
  deploy-webapp:
    runs-on: ubuntu-latest

    steps:
      - name: Staging build and deploy
        if: github.ref == 'refs/heads/staging'
        env:
          DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN_STAGING }}
        run: |
          npm build
          doppler run -- ./bin/deploy-staging

      - name: Production build and deploy
        if: github.ref == 'refs/heads/master'
        renv:
          DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN_PRODUCTION }}
        run: |
          npm build
          doppler run -- ./bin/deploy-production

πŸ‘

Amazing Work!

Now you are all set up with GitHub Actions. The next time you run an action, your secrets will be fetched from Doppler.

Updated 27 days ago


GitHub Actions


reading time 5 mins

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.