Decrypt murk secrets and inject them into your GitHub Actions workflow.
- uses: iicky/murk-action@v1
with:
murk-key: ${{ secrets.MURK_KEY }}All decrypted values are written to $GITHUB_ENV and masked in logs.
Subsequent steps can use them as regular environment variables.
steps:
- uses: actions/checkout@v4
- uses: iicky/murk-action@v1
with:
murk-key: ${{ secrets.MURK_KEY }}
- run: echo "connected to $DATABASE_URL"
# DATABASE_URL is available and its value is masked in logs| Input | Required | Default | Description |
|---|---|---|---|
murk-key |
yes | Age secret key (AGE-SECRET-KEY-1...) |
|
version |
no | latest |
murk version (e.g. 0.2.1) |
vault |
no | .murk |
Path to vault file |
tags |
no | Space-separated tags to filter secrets |
- uses: iicky/murk-action@v1
with:
murk-key: ${{ secrets.MURK_KEY }}
version: '0.2.1'- uses: iicky/murk-action@v1
with:
murk-key: ${{ secrets.MURK_KEY }}
vault: 'prod.murk'- uses: iicky/murk-action@v1
with:
murk-key: ${{ secrets.MURK_KEY }}
tags: 'deploy aws'If you prefer subprocess injection over $GITHUB_ENV:
- uses: iicky/murk-action@v1
with:
murk-key: ${{ secrets.MURK_KEY }}
- run: murk exec --vault .murk -- ./deploy.sh
env:
MURK_KEY: ${{ secrets.MURK_KEY }}- Downloads the murk binary from GitHub Releases for the runner platform
- Runs
murk exportto decrypt the vault - Masks each secret value with
::add-mask:: - Writes each key-value pair to
$GITHUB_ENV
ubuntu-latest(x86_64, arm64)macos-latest(x86_64, arm64)
murk-keyshould always come from a GitHub Actions secret- All decrypted values are masked before being written anywhere
- The murk binary is downloaded over HTTPS from GitHub Releases
- No secrets are written to disk
MIT OR Apache-2.0