GitHub Actions

Bring new features and workflows for managing repository secrets with our GitHub integration.

Prerequisites

  • You have created a project in Doppler
  • You have a GitHub account with repository permissions for configuring GitHub Secrets and Actions

GitHub Environment

As GitHub doesn't fit into either Development, Staging, or Production, we'll create a dedicated GitHub environment.

Head to the Project page and click Options > Create Environment, then name it GitHub and optionally change the order to have it placed after Development.

12801280

Authorization

The next step is authorizing the Doppler GitHub Application to provide access for syncing secrets from Doppler to a chosen repository.

To authorize, click Integrations from the Projects menu, then select GitHub:

16461646

Choose the GitHub account or organization to authorize:

16461646

Select which repositories Doppler will have secrets access to:

16461646

You'll then be redirected back to Doppler select the config and which repository to sync secrets to:

16461646

Click Set Up Integration, and once complete, Doppler will have synced all secrets in the chosen config, as well as creating three DOPPLER specific secrets:

16461646

Now every time you add, update or remove a secret in Doppler, that change will be instantly reflected in the GitHub secrets for the chosen repository.

πŸ“˜

Doppler cannot import existing secrets or sync changes to secrets made in GitHub as the secret values are hidden. All secret changes should be made in Doppler to avoid possible confusion.

Multiple Environments

If your GitHub repository is public, then you can take advantage of Environments. If you have any created, you can choose which environment to use when setting up the GitHub integration.

408408

When an environment is selected, your Doppler secrets will be synced to the Environment secrets for the chosen environment rather than the Repository secrets. To sync multiple configs to separate environments, just create additional GitHub Action integration syncs and specify a different Environment during setup.

Dependabot Secrets

Syncing secrets for Dependabot is not possible as Dependabot secrets are stored separately and no API exists to manage them.

We recommend adding a branch-ignore rule for actions that require access to repository scoped secrets set by Doppler as an action triggered by the creation of a pull request by Dependabot can only access Dependabot scoped secrets.

One workaround is to be able to trigger the required action(s) manually or a nicer (but a more involved solution) could be to use a GitHub Application to trigger actions from Dependabot pull requests as they will be executed with the permissions assigned to the application, thereby working around the Dependabot user restriction.

πŸ‘

Amazing Work!

The Doppler GitHub integration will now instantly sync your secret changes to GitHub.


Did this page help you?