Manage GitHub secrets with support for bulk operations and organization secrets
MIT License
SecretHub lets you easily manage your GitHub secrets from the command line with support for bulk operations and organization secrets.
With Ruby:
$ gem install secret_hub
Or with Docker:
$ alias secrethub='docker run --rm -it -e GITHUB_ACCESS_TOKEN -v "$PWD:/app" dannyben/secrethub'
SecretHub is a wrapper around the GitHub Secrets API. To use it, you need to set up your environment with a GitHub Access Token:
$ export GITHUB_ACCESS_TOKEN=<your access token>
Give your token the repo
scope, and for organization secrets, the admin:org
scope.
SecretHub has three families of commands:
secrethub repo
- manage repository secrets.secrethub org
- manage organization secrets.secrethub bulk
- manage multiple secrets in multiple repositories using a config file.$ secrethub
GitHub Secret Manager
Commands:
repo Manage repository secrets
org Manage organization secrets
bulk Manage multiple secrets in multiple repositories
Run secrethub COMMAND --help for command specific help
$ secrethub repo
Usage:
secrethub repo list REPO
secrethub repo save REPO KEY [VALUE]
secrethub repo delete REPO KEY
secrethub repo (-h|--help)
$ secrethub org
Usage:
secrethub org list ORG
secrethub org save ORG KEY [VALUE]
secrethub org delete ORG KEY
secrethub org (-h|--help)
$ secrethub bulk
Usage:
secrethub bulk init [CONFIG]
secrethub bulk show [CONFIG --visible]
secrethub bulk list [CONFIG]
secrethub bulk save [CONFIG --clean --dry --only REPO]
secrethub bulk clean [CONFIG --dry]
secrethub bulk (-h|--help)
All the bulk operations use a simple YAML configuration file. The configuration file includes a list of GitHub repositories, each with a list of its secrets.
For example:
# secrethub.yml
user/repo:
- SECRET
- PASSWORD
- SECRET_KEY
user/another-repo:
- SECRET
- SECRET_KEY
Each list of secrets can either be an array, or a hash.
All secrets must be defined as environment variables.
user/repo:
- SECRET
- PASSWORD
Each secret may define its value, or leave it blank. When a secret value is blank, it will be loaded from the environment.
user/another-repo:
SECRET:
PASSWORD: p4ssw0rd
SecretHub ignores any key that does not look like a repository (does not
include a slash /
). Using this feature, you can define reusable YAML
anchors:
docker: &docker
DOCKER_USER:
DOCKER_PASSWORD:
user/repo:
<<: *docker
SECRET:
PASSWORD: p4ssw0rd
Note that YAML anchors only work with the hash syntax.
If you experience any issue, have a question or a suggestion, or if you wish to contribute, feel free to open an issue.