### Example: Universal Auth in a GitHub Actions Workflow Source: https://context7.com/infisical/secrets-action/llms.txt This example demonstrates setting up the Infisical Secrets Action using Universal Auth within a GitHub Actions job. Secrets fetched are made available as environment variables. ```yaml jobs: deploy: runs-on: ubuntu-latest steps: - uses: Infisical/secrets-action@v1.0.12 with: method: "universal" client-id: ${{ secrets.INFISICAL_CLIENT_ID }} client-secret: ${{ secrets.INFISICAL_CLIENT_SECRET }} project-slug: "my-app" env-slug: "production" domain: "https://app.infisical.com" - name: Use secret run: echo "DB host is $DATABASE_HOST" # secret injected as env var ``` -------------------------------- ### Example: OIDC Auth in a GitHub Actions Workflow Source: https://context7.com/infisical/secrets-action/llms.txt This example shows how to configure the Infisical Secrets Action with OIDC authentication. It includes the necessary `permissions` block and demonstrates accessing secrets as environment variables for subsequent steps. ```yaml jobs: build: runs-on: ubuntu-latest permissions: id-token: write # required for OIDC contents: read steps: - uses: Infisical/secrets-action@v1.0.12 with: method: "oidc" identity-id: ${{ secrets.INFISICAL_IDENTITY_ID }} oidc-audience: "infisical" # optional, must match bound audience project-slug: "frontend" env-slug: "dev" domain: "https://eu.infisical.com" # EU region instance - name: Build app run: npm run build # all secrets available as env vars ``` -------------------------------- ### Example: AWS IAM Auth in a GitHub Actions Workflow Source: https://context7.com/infisical/secrets-action/llms.txt This example illustrates using AWS IAM authentication with the Infisical Secrets Action. The runner must have AWS credentials configured, and the `AWS_REGION` environment variable is used for auto-detection. ```yaml jobs: sync: runs-on: ubuntu-latest steps: - uses: Infisical/secrets-action@v1.0.12 with: method: "aws-iam" identity-id: "24be0d94-b43a-41c4-812c-1e8654d9ce1e" project-slug: "data-pipeline" env-slug: "production" domain: "https://app.infisical.com" env: AWS_REGION: us-east-1 AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }} # if using assumed role ``` -------------------------------- ### Setup Infisical Secrets Action with Internal CA Source: https://github.com/infisical/secrets-action/blob/main/README.md Configure the Infisical Secrets Action in your GitHub Actions workflow to use a custom CA certificate. Set the `NODE_EXTRA_CA_CERTS` environment variable to the path of your certificate file. ```yaml jobs: your-job-name: runs-on: ubuntu-latest env: NODE_EXTRA_CA_CERTS: ./ca-certificate.pem # Path to your CA certificate steps: - name: Checkout code uses: actions/checkout@v4 - name: Setup Infisical Secrets uses: Infisical/secrets-action@v1.0.12 with: method: "universal" domain: "https://" # Your internal Infisical domain # rest of the parameters ``` -------------------------------- ### Configure Infisical Secrets Action with Universal Auth Source: https://context7.com/infisical/secrets-action/llms.txt Use Universal Authentication with client ID and secret to fetch secrets. Ensure these are stored as GitHub repository secrets. ```yaml - uses: Infisical/secrets-action@v1.0.12 with: method: "universal" # "universal" | "oidc" | "aws-iam" client-id: ${{ secrets.INFISICAL_CLIENT_ID }} client-secret: ${{ secrets.INFISICAL_CLIENT_SECRET }} project-slug: "my-project" env-slug: "production" ``` -------------------------------- ### Configure Extra Headers for Infisical Action Source: https://github.com/infisical/secrets-action/blob/main/README.md Use the `extra-headers` parameter to include custom headers in requests to your Infisical instance. This is useful for instances behind firewalls that require specific authentication or identification headers. ```yaml extra-headers: | Example-Header: Header-Value X-Request-Id: 1234567890 X-Authentication-Secret: ${{ secrets.AUTH_SECRET }} ``` -------------------------------- ### Configure OIDC Auth for Infisical Secrets Action Source: https://github.com/infisical/secrets-action/blob/main/README.md Use this configuration for OIDC authentication. Ensure your workflow has `id-token: write` permissions. The `identity-id` is required, and `oidc-audience` is optional. ```yaml - uses: Infisical/secrets-action@v1.0.9 with: method: "oidc" identity-id: "24be0d94-b43a-41c4-812c-1e8654d9ce1e" domain: "https://app.infisical.com" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance env-slug: "dev" project-slug: "cli-integration-tests-9-edj" ``` -------------------------------- ### Custom Infisical Instance URL (Domain) Source: https://context7.com/infisical/secrets-action/llms.txt Overrides the default `https://app.infisical.com` endpoint. Use for custom regions, dedicated instances, or self-hosted deployments. ```yaml # EU cloud region - uses: Infisical/secrets-action@v1.0.12 with: method: "oidc" identity-id: ${{ secrets.INFISICAL_IDENTITY_ID }} project-slug: "my-app" env-slug: "production" domain: "https://eu.infisical.com" ``` ```yaml # Self-hosted instance - uses: Infisical/secrets-action@v1.0.12 with: method: "universal" client-id: ${{ secrets.INFISICAL_CLIENT_ID }} client-secret: ${{ secrets.INFISICAL_CLIENT_SECRET }} project-slug: "my-app" env-slug: "production" domain: "https://infisical.internal.company.com" ``` -------------------------------- ### Configure Infisical Secrets Action with OIDC Auth Source: https://context7.com/infisical/secrets-action/llms.txt Utilize OIDC authentication for secure secret fetching. Requires `id-token: write` permission for the workflow. The `oidc-audience` is optional and should match your Machine Identity's bound audience. ```yaml - uses: Infisical/secrets-action@v1.0.12 with: method: "oidc" identity-id: ${{ secrets.INFISICAL_IDENTITY_ID }} project-slug: "backend-api" # required env-slug: "staging" # required domain: "https://app.infisical.com" ``` -------------------------------- ### Configure Custom CA Certificate for Self-Hosted Infisical Source: https://context7.com/infisical/secrets-action/llms.txt Set the NODE_EXTRA_CA_CERTS environment variable to point to a PEM-format CA certificate when using self-hosted Infisical with an internal Certificate Authority. This variable should be set at the job level. ```yaml jobs: fetch-secrets: runs-on: ubuntu-latest env: NODE_EXTRA_CA_CERTS: ./ca-certificate.pem # path relative to GITHUB_WORKSPACE steps: - name: Checkout code uses: actions/checkout@v4 # must run first to populate the workspace - uses: Infisical/secrets-action@v1.0.12 with: method: "universal" client-id: ${{ secrets.INFISICAL_CLIENT_ID }} client-secret: ${{ secrets.INFISICAL_CLIENT_SECRET }} project-slug: "internal-app" env-slug: "production" domain: "https://infisical.internal.company.com" ``` -------------------------------- ### Write Secrets to a .env File Source: https://context7.com/infisical/secrets-action/llms.txt Writes all secrets to a file in `KEY='value'` format at the specified path within `$GITHUB_WORKSPACE`. Requires `actions/checkout` beforehand. Useful for applications loading configuration from `.env` files. ```yaml steps: - name: Checkout code uses: actions/checkout@v4 # required before file export - uses: Infisical/secrets-action@v1.0.12 with: method: "universal" client-id: ${{ secrets.INFISICAL_CLIENT_ID }} client-secret: ${{ secrets.INFISICAL_CLIENT_SECRET }} project-slug: "my-app" env-slug: "dev" export-type: "file" file-output-path: "/src/.env" # written to $GITHUB_WORKSPACE/src/.env # defaults to /.env - name: Start service run: node server.js # server.js reads from src/.env via dotenv ``` -------------------------------- ### Export Infisical Secrets to a File Source: https://github.com/infisical/secrets-action/blob/main/README.md This configuration exports secrets from Infisical to a specified file within your workspace, typically used for applications reading `.env` files. Ensure `actions/checkout` is used prior to this step. ```yaml - uses: Infisical/secrets-action@v1.0.9 with: method: "oidc" identity-id: "24be0d94-b43a-41c4-812c-1e8654d9ce1e" domain: "https://app.infisical.com" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance env-slug: "dev" project-slug: "cli-integration-tests-9-edj" export-type: "file" file-output-path: "/src/.env" # defaults to "/.env" ``` -------------------------------- ### Custom HTTP Headers for Requests Source: https://context7.com/infisical/secrets-action/llms.txt Appends arbitrary HTTP headers to every request sent to Infisical. Useful for instances behind reverse proxies or firewalls requiring authentication. Headers are provided as `Key: Value` on separate lines. ```yaml - uses: Infisical/secrets-action@v1.0.12 with: method: "oidc" identity-id: ${{ secrets.INFISICAL_IDENTITY_ID }} project-slug: "my-app" env-slug: "production" domain: "https://infisical.internal.company.com" extra-headers: | X-Proxy-Auth: ${{ secrets.PROXY_SECRET }} X-Request-Source: github-actions X-Tenant-Id: acme-corp ``` -------------------------------- ### Checkout Code for File Export Mode Source: https://github.com/infisical/secrets-action/blob/main/README.md This step is required before using the Infisical Secrets Action in file export mode to ensure the workspace is checked out. ```yaml steps: - name: Checkout code uses: actions/checkout@v4 ``` -------------------------------- ### Configure AWS IAM Auth for Infisical Secrets Action Source: https://github.com/infisical/secrets-action/blob/main/README.md Use this configuration when authenticating with Infisical using AWS IAM. Ensure your runner has AWS credentials and network access to AWS STS. ```yaml - uses: Infisical/secrets-action@v1.0.9 with: method: "aws-iam" identity-id: "24be0d94-b43a-41c4-812c-1e8654d9ce1e" domain: "https://app.infisical.com" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance env-slug: "dev" project-slug: "cli-integration-tests-9-edj" ``` -------------------------------- ### Fetch Secrets Recursively from Subdirectories Source: https://context7.com/infisical/secrets-action/llms.txt When set to `true`, fetches all secrets from the `secret-path` and every nested subdirectory. Defaults to `false`. Can be combined with `secret-path` to scope the recursion. ```yaml - uses: Infisical/secrets-action@v1.0.12 with: method: "oidc" identity-id: ${{ secrets.INFISICAL_IDENTITY_ID }} project-slug: "monorepo" env-slug: "staging" secret-path: "/services" recursive: "true" # fetches /services, /services/api, /services/worker, etc. ``` -------------------------------- ### Fetch Secrets from a Specific Path Source: https://context7.com/infisical/secrets-action/llms.txt Scopes secret retrieval to a sub-path within the project/environment. Defaults to `/` (root). Useful for organizing secrets into folders in Infisical. ```yaml - uses: Infisical/secrets-action@v1.0.12 with: method: "oidc" identity-id: ${{ secrets.INFISICAL_IDENTITY_ID }} project-slug: "monorepo" env-slug: "production" secret-path: "/services/payment-api" # only fetch secrets under this path ``` -------------------------------- ### Include Imported Secrets Source: https://context7.com/infisical/secrets-action/llms.txt Controls whether secrets imported from other environments or paths are included. Defaults to `true`. Imported secrets are merged with direct secrets, with direct secrets taking precedence if keys collide. ```yaml - uses: Infisical/secrets-action@v1.0.12 with: method: "universal" client-id: ${{ secrets.INFISICAL_CLIENT_ID }} client-secret: ${{ secrets.INFISICAL_CLIENT_SECRET }} project-slug: "my-app" env-slug: "staging" include-imports: "true" # default; set to "false" to skip imported secrets ``` -------------------------------- ### Export Secrets as Environment Variables Source: https://context7.com/infisical/secrets-action/llms.txt Injects secrets as environment variables using `core.exportVariable`. Secrets are also registered with `core.setSecret` for log masking. This is the default export type and can be omitted. ```yaml steps: - uses: Infisical/secrets-action@v1.0.12 with: method: "oidc" identity-id: ${{ secrets.INFISICAL_IDENTITY_ID }} project-slug: "my-app" env-slug: "production" export-type: "env" # default, can be omitted - name: Run tests run: | echo "Connecting to $DATABASE_URL" # DATABASE_URL injected from Infisical npm test - name: Deploy run: | docker build --build-arg API_KEY=$API_KEY . ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.