SecretHub - GitHub Secrets CLI
SecretHub lets you easily manage your GitHub secrets from the command line with support for bulk operations.
Installation
$ gem install secret_hub
Prerequisites
SecretHub is a wrapper around the GitHub Secrets API. To use it, you need to set up your environment with a GitHub Access Token:
$ export GITHUB_ACCESS_TOKEN=<your access token>
Usage
SecretHub has two families of commands:
- Commands that operate on a single repository.
- Commands that operate on multiple repositories, and multiple secrets.
Most commands are self explanatory, and described by the CLI.
$ secrethub --help
Single repository operations
Show the secret keys in a repository
# secrethub list REPO
$ secrethub list you/your-repo
Create or update a secret in a repository
# secrethub save REPO KEY VALUE
$ secrethub list you/your-repo SECRET "there is no spoon"
Delete a secret from a repository
# secrethub delete REPO KEY
$ secrethub list you/your-repo SECRET
Bulk operations
All the bulk operations function by using a simple YAML configuration file. The configuration file includes a list of GitHub repositories, each with a list of its secrets.
For example:
# secrethub.yml
user/repo:
- SECRET
- PASSWORD
- SECRET_KEY
user/another-repo:
- SECRET
- SECRET_KEY
Each list of secrets can either be an array, or a hash.
Using array syntax
All secrets must be defined as environment variables.
user/repo:
- SECRET
- PASSWORD
Using hash syntax
Each secret may define its value, or leave it blank. When a secret value is blank, it will be loaded from the environment.
user/another-repo:
SECRET:
PASSWORD: p4ssw0rd
Using YAML anchors
SecretHub ignores any key that does not look like a repository (does not
include a slash /
). Using this feature, you can define reusable YAML
anchors:
docker: &docker
DOCKER_USER:
DOCKER_PASSWORD:
user/another-repo:
<<: *docker
SECRET:
PASSWORD: p4ssw0rd
Note that YAML anchors only work with the hash syntax.
Create a sample configuration file
# secrethub bulk init [CONFIG]
$ secrethub bulk init mysecrets.yml
Show the configuration file and its secrets
# secrethub bulk show [CONFIG --visible]
$ secrethub bulk show mysecrets.yml
Show all secrets stored on GitHub in all repositories
# secrethub bulk list [CONFIG]
$ secrethub bulk list mysecrets.yml
Save multiple secrets to multiple repositories
# secrethub bulk save [CONFIG --clean]
$ secrethub bulk save mysecrets.yml --clean
Using the --clean
flag, you can ensure that the repositories do not have
any secrets that you are unaware of. This flag will delete any secret that is
not specified in your config file.
Delete secrets from multiple repositories unless they are specified in the config file
# secrethub bulk clean [CONFIG]
$ secrethub bulk clean mysecrets.yml
Contributing / Support
If you experience any issue, have a question or a suggestion, or if you wish to contribute, feel free to open an issue.