Doppler Secrets Fetch Action

This action enables you to fetch Doppler secrets for use in your GitHub Actions.

NOTE: If the GitHub Actions for your repository only require secrets from a single config, we recommend using our Doppler GitHub application instead, as it syncs secrets directly to your repository.

Configuration

The action can be configured in two ways:

Service Token (recommended)
Service Account Token with Project and Config

Service Token

A Doppler Service Token provides read-only access to a single config and is recommended due to its limited access scope.

Create a GitHub repository secret named DOPPLER_TOKEN or if using multiple Service Tokens (e.g. for a Monorepo), you can prefix the secret name using with application name, e.g. AUTH_API_DOPPLER_TOKEN.

Then supply the Service Token using the doppler-token input:

- uses: dopplerhq/secrets-fetch-action@v1.2.0
      id: doppler
      with:
        doppler-token: ${{ secrets.DOPPLER_TOKEN }}

Service Account Token

A Doppler Service Account Token allows for a configurable set of permissions to services in your workplace. The doppler-project and doppler-config inputs must be provided when using a Service Account Token:

- uses: dopplerhq/secrets-fetch-action@v1.2.0
      id: doppler
      with:
        doppler-token: ${{ secrets.DOPPLER_TOKEN }}
        doppler-project: auth-api
        doppler-config: ci-cd

Usage

Secrets can be accessed in two ways:

Default: Using outputs
Optional: Using environment variables

Using Outputs

Secrets can be accessed individually using outputs by providing an id for the Doppler action step:

name: Doppler secrets from outputs

on: [push]

jobs:
  secrets-fetch:
    runs-on: ubuntu-latest
    steps:
    - uses: dopplerhq/secrets-fetch-action@v1.2.0
      id: doppler
      with:
        doppler-token: ${{ secrets.DOPPLER_TOKEN }}
    - run: echo "DOPPLER_PROJECT is ${{ steps.doppler.outputs.DOPPLER_PROJECT }} (Doppler meta environment variables are unmasked)"
    - run: echo "API_KEY is ${{ steps.doppler.outputs.API_KEY }} (secret masked output)"

Using Environment Variables

This option injects secrets as environment variables for use in subsequent steps by setting the inject-env-vars input to true.

NOTE: Be careful using this option as environment variables are available to any subsequent process in your GitHub Action steps.

name: Doppler secrets from environment variables

on: [push]

jobs:
  secrets-fetch:
    runs-on: ubuntu-latest
    steps:
    - uses: dopplerhq/secrets-fetch-action@v1.2.0
      id: doppler
      with:
        doppler-token: ${{ secrets.DOPPLER_TOKEN }}
        inject-env-vars: true
    - run: printenv

Automatic Secrets Masking

All secret values are masked with the exception of the Doppler meta variables:

DOPPLER_PROJECT
DOPPLER_ENVIRONMENT
DOPPLER_CONFIG

and any secrets assigned the unmasked secret visibility.

Development and Testing

Export the NODE_ENV and DOPPLER_TOKEN environment variables, then run npm test.

Name		Name	Last commit message	Last commit date
Latest commit History 23 Commits
.github/workflows		.github/workflows
node_modules		node_modules
semgrep_configs		semgrep_configs
.gitignore		.gitignore
LICENSE.txt		LICENSE.txt
README.md		README.md
action.yml		action.yml
doppler.js		doppler.js
index.js		index.js
meta.js		meta.js
package-lock.json		package-lock.json
package.json		package.json
salus-config.yml		salus-config.yml

License

DopplerHQ/secrets-fetch-action

Folders and files

Latest commit

History

Repository files navigation

Doppler Secrets Fetch Action

Configuration

Service Token

Service Account Token

Usage

Using Outputs

Using Environment Variables

Automatic Secrets Masking

Development and Testing

About

Topics

Resources

License

Stars

Watchers

Forks

Languages