GitHub Actions

Prerequisites

• You have created a project in Doppler
• You have a GitHub account with repository permissions for configuring GitHub Secrets and Actions (and optionally organization permissions for configuring GitHub Organization Secrets).

GitHub Environment

As GitHub doesn't fit into either Development, Staging, or Production, we'll create a dedicated GitHub environment.

Head to the Project page and click Options > Create Environment, then name it GitHub and optionally change the order to have it placed after Development.

Authorization

The next step is authorizing the Doppler GitHub Application to provide access for syncing secrets from Doppler to a chosen repository.

To authorize, click Integrations from the Projects menu, then select GitHub:

Choose the GitHub account or organization to authorize:

Select which repositories Doppler will have secrets access to:

You'll then be redirected back to Doppler. You can now select the config and which repository to sync secrets to:

Click Set Up Integration, and once complete, Doppler will have synced all secrets in the chosen config, as well as creating three DOPPLER specific secrets:

Now every time you add, update or remove a secret in Doppler, that change will be instantly reflected in the GitHub secrets for the chosen repository.

📘

Doppler cannot import existing secrets or sync changes to secrets made in GitHub as the secret values are hidden. All secret changes should be made in Doppler to avoid possible confusion.

Multiple Environments

If your GitHub repository is public, then you can take advantage of Environments. If you have any created, you can choose which environment to use when setting up the GitHub integration.

When an environment is selected, your Doppler secrets will be synced to the Environment secrets for the chosen environment rather than the Repository secrets. To sync multiple configs to separate environments, just create additional GitHub Action integration syncs and specify a different Environment during setup.

Organization Secrets

If you connected Doppler to a GitHub Organization, then you'll have the option to sync your secrets to your GitHub Organization Secrets. When setting up the sync, you'll find a Sync Target option that lets you choose between a Repository and the Organization. Choose Organization and then select the Secret Scope you'd like to use.

All Repositories will make any secrets you sync here accessible to both public and private repos in your organization. Private Repositories will only make the secrets accessible to private repos in your organization. After selecting a scope, choose which config you want to have synced over and then click Set Up Integration.

Dependabot Secrets

Syncing secrets for Dependabot is not possible as Dependabot secrets are stored separately and no API exists to manage them.

We recommend adding a branch-ignore rule for actions that require access to repository scoped secrets set by Doppler as an action triggered by the creation of a pull request by Dependabot can only access Dependabot scoped secrets.

One workaround is to be able to trigger the required action(s) manually or a nicer (but a more involved solution) could be to use a GitHub Application to trigger actions from Dependabot pull requests as they will be executed with the permissions assigned to the application, thereby working around the Dependabot user restriction.

👍

Amazing Work!

The Doppler GitHub integration will now instantly sync your secret changes to GitHub.