Version: 1.0

GitHub Actions Integration

Roadmap feature

The syvault/secrets-action GitHub Action is in active development and not yet published to the GitHub Marketplace. This page documents the intended interface. For status updates, see the integrations repo.

The syvault/secrets-action GitHub Action fetches secrets from SyVault Secrets Manager and exposes them as environment variables or files in your workflow. No secrets need to be stored in GitHub's secrets settings beyond the SyVault client credentials.

Quick Start

name: Deploy
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Fetch secrets from SyVault
        uses: syvault/secrets-action@v1
        with:
          server: https://vault.example.com
          client_id: ${{ secrets.SY_CLIENT_ID }}
          client_secret: ${{ secrets.SY_CLIENT_SECRET }}
          secrets: |
            DB_HOST = sy://Production/Database/field/host
            DB_PASSWORD = sy://Production/Database/field/password
            API_KEY = sy://Production/Stripe/field/secret_key

      - name: Deploy
        run: |
          echo "Deploying with database at $DB_HOST"
          ./deploy.sh

After the action runs, DB_HOST, DB_PASSWORD, and API_KEY are available as environment variables for all subsequent steps in the job.

Inputs

Input	Required	Description
`server`	Yes	SyVault server URL
`client_id`	Yes	Secrets Manager client ID
`client_secret`	Yes	Secrets Manager client secret (ECDSA private key)
`secrets`	Yes	Multiline mapping of `ENV_VAR = notation` pairs
`export_to`	No	`env` (default) or `file`
`file_path`	No	Output file path when `export_to` is `file` (default: `.env`)

Secrets Mapping Format

Each line in the secrets input maps an environment variable name to a SyVault notation:

ENV_VAR_NAME = sy://Folder/Title/field/fieldname

You can also reference secrets by UID:

ENV_VAR_NAME = uid:7Kj9mNpQ2xRs:password

Output as Environment Variables

By default, secrets are exported as masked environment variables. GitHub Actions automatically redacts them from log output.

- uses: syvault/secrets-action@v1
  with:
    server: https://vault.example.com
    client_id: ${{ secrets.SY_CLIENT_ID }}
    client_secret: ${{ secrets.SY_CLIENT_SECRET }}
    secrets: |
      DATABASE_URL = sy://Production/Database/field/connection_string

- name: Run migrations
  run: npx prisma migrate deploy
  # DATABASE_URL is available automatically

Output as File

Write secrets to a .env file for tools that read from disk:

- uses: syvault/secrets-action@v1
  with:
    server: https://vault.example.com
    client_id: ${{ secrets.SY_CLIENT_ID }}
    client_secret: ${{ secrets.SY_CLIENT_SECRET }}
    export_to: file
    file_path: .env.production
    secrets: |
      DB_HOST = sy://Production/Database/field/host
      DB_PORT = sy://Production/Database/field/port
      DB_USER = sy://Production/Database/field/username
      DB_PASS = sy://Production/Database/field/password

- name: Start server with dotenv
  run: node --env-file=.env.production server.js

Full CI/CD Example

A complete workflow that tests, builds, and deploys with SyVault secrets:

name: CI/CD Pipeline
on:
  push:
    branches: [main]
  pull_request:

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: syvault/secrets-action@v1
        with:
          server: https://vault.example.com
          client_id: ${{ secrets.SY_CLIENT_ID }}
          client_secret: ${{ secrets.SY_CLIENT_SECRET }}
          secrets: |
            DATABASE_URL = sy://CI/TestDB/field/connection_string

      - run: npm ci
      - run: npm test

  deploy:
    needs: test
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: syvault/secrets-action@v1
        with:
          server: https://vault.example.com
          client_id: ${{ secrets.SY_CLIENT_ID }}
          client_secret: ${{ secrets.SY_CLIENT_SECRET }}
          secrets: |
            AWS_ACCESS_KEY_ID = sy://Production/AWS/field/access_key
            AWS_SECRET_ACCESS_KEY = sy://Production/AWS/field/secret_key
            AWS_REGION = sy://Production/AWS/field/region

      - name: Deploy to ECS
        run: |
          aws ecs update-service \
            --cluster prod \
            --service api \
            --force-new-deployment

Security Considerations

Store SY_CLIENT_ID and SY_CLIENT_SECRET in GitHub Actions encrypted secrets. These are the only credentials you need to store in GitHub.
The action masks all fetched secret values so they are redacted from workflow logs.
Secrets are only available for the duration of the job and are not persisted to disk unless you use export_to: file.
Use a dedicated Secrets Manager client for CI/CD with minimal folder access. Do not reuse production server clients.

Quick Start​

Inputs​

Secrets Mapping Format​

Output as Environment Variables​

Output as File​

Full CI/CD Example​

Security Considerations​