CI/CD Secrets

Goal

Access dotsecenv-managed secrets in a GitHub Actions workflow so your CI/CD pipeline can use them without storing plaintext credentials in your repo.

Prerequisites

• Getting Started completed
• A GitHub repository with Actions enabled
• A GPG key dedicated to CI (recommended: dotsecenv identity create --name "CI Bot" --email "ci@example.com" --no-passphrase)

Steps

1. Export your CI GPG private key

   gpg --armor --export-secret-keys ci@example.com | base64

   Copy the entire base64 output.

   Caution

   Use a dedicated CI key, not your personal key. This key will be stored as a GitHub secret.

2. Add it as a GitHub secret

   Go to your repository: Settings > Secrets and variables > Actions > New repository secret

   • Name: GPG_PRIVATE_KEY
   • Value: paste the base64 output from step 1

3. Create a workflow file

   Create .github/workflows/build.yml:

   name: Build
   
   on:
     push:
       branches: [main]
   
   jobs:
     build:
       runs-on: ubuntu-latest
       steps:
         - uses: actions/checkout@v4
   
         - uses: dotsecenv/dotsecenv@v0
           with:
             init-config: ''
   
         - name: Import GPG key
           run: |
             echo "${{ secrets.GPG_PRIVATE_KEY }}" | base64 -d | gpg --batch --import
             dotsecenv login $(gpg --list-secret-keys --keyid-format long | grep -A1 "sec" | tail -1 | awk '{print $1}')
   
         - name: Use secrets
           run: |
             DATABASE_PASSWORD=$(dotsecenv secret get DATABASE_PASSWORD)
             echo "Secret retrieved successfully"
             # Use $DATABASE_PASSWORD in your build/deploy steps

4. Commit and push

   git add .github/workflows/build.yml
   git commit -m "ci: add dotsecenv secrets to build workflow"
   git push

5. Verify the workflow

   Go to Actions in your repository. The workflow should complete successfully with “Secret retrieved successfully” in the logs.

   Tip

   The actual secret value never appears in logs. GitHub Actions automatically masks secrets set via the secrets context, and dotsecenv secret get writes to stdout only.

Using .secenv files in CI

If your project has a .secenv file, you can load all secrets at once:

     - name: Load secrets from .secenv
       run: |
         eval "$(dotsecenv env load)"
         # All .secenv variables are now available

GitLab CI

The pattern is the same. Store the base64 GPG key as a CI/CD variable, then:

build:
  image: ubuntu:latest
  before_script:
    - curl -fsSL https://get.dotsecenv.com/install.sh | bash -s -- --no-install-shell-plugin
    - echo "$GPG_PRIVATE_KEY" | base64 -d | gpg --batch --import
    - dotsecenv init config
    - dotsecenv login $(gpg --list-secret-keys --keyid-format long | grep -A1 "sec" | tail -1 | awk '{print $1}')
  script:
    - DATABASE_PASSWORD=$(dotsecenv secret get DATABASE_PASSWORD)
    - echo "Secret available in pipeline"

Next steps

• GitHub Action — full reference for the dotsecenv/dotsecenv action
• Terraform & OpenTofu — use dotsecenv as a Terraform credentials helper