GitHub Actions Plugin

The GitHub Actions plugin enables you to automate workflows for your GitHub-hosted repositories. With this plugin, you can pull secrets from the Akeyless Vault Platform directly into your workflows.

To work with the GitHub Actions plugin:

  1. Create a GitHub Repository
  2. Set Up Akeyless Authentication Credentials for the Repository
  3. Set Up a GitHub Self-Hosted Runner
  4. Define a Workflow for the GitHub Action
  5. Trigger the GitHub Runner

Create a GitHub Repository

  1. Create a new directory and initialize it as a git repository by running:
git init
  1. Stage all the files in the directory by running:
git add .
  1. Commit all the staged files by running:
git commit -m "Initial Commit"
  1. On GitHub, create a new repository. In this example, it's called Akeyless-vault-example.
  1. Perform an initial commit to the new repository by running:
git remote add origin<your_account>/<your_repository>.git
git branch -M main
git push -u origin main

Set Up Akeyless Authentication Credentials for the Repository

  1. On GitHub, navigate to the main page of the repository, and select Settings > Secrets > New repository secret.

  2. Name the secret VAULT_TOKEN.

  3. Set the secret value in the following format : <access_id>..<access_key>. For example:

  1. Select Add secret.

The GitHub repository is now configured with an access token for the Akeyless Vault Platform.

Set Up a GitHub Self-Hosted Runner

The GitHub self-hosted runner enables you to start a runner instance on an instance that you manage. Your workstation can be used if it is supported.

  1. On GitHub, navigate to the main page of the repository, and select Settings > Actions > Runners > Add runner.

  2. Select the operating system and architecture of your self-hosted runner machine.

  3. Follow the instructions in the Download section to prepare a directory for the GitHub runner and then download the runner.

  4. Follow the instructions in the Configure section to configure the runner to connect to GitHub with a token GitHub generates for the runner.

Define a Workflow for the GitHub Action

  1. In a terminal, within the repository directory, create the directory .github/workflows.

  2. In the new directory, create a workflow file named image-builder.yml with the following content, to define the name of the workflow and the frequency at which it triggers.

name: ImageBuilder
# Run this workflow every time a new commit pushed to your repository.
on: push
    runs-on: self-hosted
      - uses: actions/[email protected]
      - name: Import Secrets
        uses: hashicorp/[email protected]
          tlsSkipVerify: true
          token: ${{ secrets.VAULT_TOKEN }}
          secrets: |
            secret/data/ci app_secret | app_secret ;
      - name: Secret from Akeyless
        run: echo "${{ env.app_secret }}"


If you are working with your own Akeyless Gateway, set the value of the url field as your Akeyless Gateway URL on port 8200. For example, https://akeyless-gw:8200.

Note that the token used to authenticate is set to the VAULT_TOKEN secret you defined in the GitHub repository.

The format required by GitHub Actions for secrets is:

secrets: |
  secret/data/ci app_secret | app_secret ;

where secret/data is a required prefix, followed by the secret path. In this example, the secret app_secret in the Akeyless Vault Plaform is stored in the ci folder. Therefore, the secret path is /ci/app_secret.

app_secret is the key name and | app_secret specifies the secret value which will be set into the app_secret variable.

Trigger the GitHub Runner

The workflow is triggered on every push to any branch of the repository.

Add the unstated files to be committed by running:

git add .
git commit -m "adds workflow to repo"
git push origin main

The GitHub self-hosted runner polls GitHub for changes. When a change is detected, the runner begins execution on the workflow. The build result can be seen in GitHub, in the Actions section.

Did this page help you?