GitHub Actions Plugin
The GitHub Actions plugin enables you to automate workflows for your GitHub-hosted repositories. With this plugin, you can pull secrets from the Akeyless Vault Platform directly into your workflows.
To work with the GitHub Actions plugin:
- Create a GitHub Repository
- Set Up Akeyless Authentication Credentials for the Repository
- Set Up a GitHub Self-Hosted Runner
- Define a Workflow for the GitHub Action
- Trigger the GitHub Runner
Create a GitHub Repository
- Create a new directory and initialize it as a git repository by running:
git init
- Stage all the files in the directory by running:
git add .
- Commit all the staged files by running:
git commit -m "Initial Commit"
- On GitHub, create a new repository. In this example, it's called Akeyless-vault-example.


- Perform an initial commit to the new repository by running:
git remote add origin https://github.com/<your_account>/<your_repository>.git
git branch -M main
git push -u origin main
Set Up Akeyless Authentication Credentials for the Repository
-
On GitHub, navigate to the main page of the repository, and select Settings > Secrets > New repository secret.
-
Name the secret VAULT_TOKEN.
-
Set the secret value in the following format : <access_id>..<access_key>. For example:


- Select Add secret.
The GitHub repository is now configured with an access token for the Akeyless Vault Platform.
Set Up a GitHub Self-Hosted Runner
The GitHub self-hosted runner enables you to start a runner instance on an instance that you manage. Your workstation can be used if it is supported.
-
On GitHub, navigate to the main page of the repository, and select Settings > Actions > Runners > Add runner.
-
Select the operating system and architecture of your self-hosted runner machine.
-
Follow the instructions in the Download section to prepare a directory for the GitHub runner and then download the runner.
-
Follow the instructions in the Configure section to configure the runner to connect to GitHub with a token GitHub generates for the runner.
Define a Workflow for the GitHub Action
-
In a terminal, within the repository directory, create the directory .github/workflows.
-
In the new directory, create a workflow file named image-builder.yml with the following content, to define the name of the workflow and the frequency at which it triggers.
name: ImageBuilder
# Run this workflow every time a new commit pushed to your repository.
on: push
jobs:
build:
runs-on: self-hosted
steps:
- uses: actions/[email protected]
- name: Import Secrets
uses: hashicorp/[email protected]
env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true'
with:
url: https://hvp.akeyless.io
tlsSkipVerify: true
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
secret/data/ci app_secret | app_secret ;
- name: Secret from Akeyless
run: echo "${{ env.app_secret }}"
If you are working with your own Akeyless Gateway, set the value of the url field as your Akeyless Gateway URL on port 8200. For example,
https://akeyless-gw:8200
.
Note that the token used to authenticate is set to the VAULT_TOKEN secret you defined in the GitHub repository.
The format required by GitHub Actions for secrets is:
secrets: |
secret/data/ci app_secret | app_secret ;
where secret/data is a required prefix, followed by the secret path. In this example, the secret app_secret
in the Akeyless Vault Plaform is stored in the ci
folder. Therefore, the secret path is /ci/app_secret
.
app_secret
is the key name and | app_secret
specifies the secret value which will be set into the app_secret
variable.
Trigger the GitHub Runner
The workflow is triggered on every push to any branch of the repository.
Add the unstated files to be committed by running:
git add .
git commit -m "adds workflow to repo"
git push origin main
The GitHub self-hosted runner polls GitHub for changes. When a change is detected, the runner begins execution on the workflow. The build result can be seen in GitHub, in the Actions section.
Updated 10 months ago