CI/CD Secrets
Access dotsecenv-managed secrets in a GitHub Actions workflow so your CI/CD pipeline can use them without storing plaintext credentials in your repo.
Prerequisites
Section titled “Prerequisites”- Getting Started completed
- A GitHub repository with Actions enabled
- A GPG key dedicated to CI (recommended:
dotsecenv identity create --name "CI Bot" --email "ci@example.com" --no-passphrase)
-
Export your CI GPG private key
Export the ASCII-armored private key directly. Do not base64-encode it; the armor format is already plain ASCII and
gpg --importreads it as-is.Terminal window gpg --armor --export-secret-keys ci@example.com > ci-key.asc -
Add it as a GitHub secret
Go to your repository: Settings > Secrets and variables > Actions > New repository secret
- Name:
GPG_PRIVATE_KEY - Value: paste the contents of
ci-key.asc
Or use the
ghCLI:Terminal window gh secret set GPG_PRIVATE_KEY < ci-key.asc - Name:
-
Create a workflow file
Create
.github/workflows/build.yml:name: Buildon:push:branches: [main]permissions:contents: readjobs:build:runs-on: ubuntu-latestenv:GNUPGHOME: ${{ runner.temp }}/gnupgsteps:- uses: actions/checkout@v4- uses: dotsecenv/dotsecenv@v0with:version: latestverify-provenance: true- name: Import GPG keyenv:GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}run: |mkdir -p "$GNUPGHOME"chmod 700 "$GNUPGHOME"echo "$GPG_PRIVATE_KEY" | gpg --batch --import# Capture the fingerprint of the imported key for login.FP=$(gpg --list-secret-keys --with-colons \| awk -F: '/^fpr:/ { print $10; exit }')echo "DOTSECENV_FP=$FP" >> "$GITHUB_ENV"- name: Initialise dotsecenv and log inrun: |dotsecenv init config -v .dotsecenv/vaultdotsecenv login "$DOTSECENV_FP"- name: Use secretsrun: |DATABASE_PASSWORD=$(dotsecenv secret get DATABASE_PASSWORD)echo "Secret retrieved successfully"# Use $DATABASE_PASSWORD in your build/deploy steps -
Commit and push
Terminal window git add .github/workflows/build.ymlgit commit -m "ci: add dotsecenv secrets to build workflow"git push -
Verify the workflow
Go to Actions in your repository. The workflow should complete successfully with “Secret retrieved successfully” in the logs.
Using .secenv files in CI
Section titled “Using .secenv files in CI”If your project has a .secenv file, you can load all secrets at once:
- name: Load secrets from .secenv run: | eval "$(dotsecenv env load)" # All .secenv variables are now availableGitLab CI
Section titled “GitLab CI”The pattern is the same. Store the ASCII-armored GPG key as a CI/CD variable named GPG_PRIVATE_KEY (type “File” or “Variable”; do not base64-encode it), then:
build: image: ubuntu:latest before_script: - curl -fsSL https://get.dotsecenv.com/install.sh | bash -s -- --no-install-shell-plugin - echo "$GPG_PRIVATE_KEY" | gpg --batch --import - dotsecenv init config -v .dotsecenv/vault - FP=$(gpg --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }') - dotsecenv login "$FP" script: - DATABASE_PASSWORD=$(dotsecenv secret get DATABASE_PASSWORD) - echo "Secret available in pipeline"Next steps
Section titled “Next steps”- GitHub Action – full reference for the
dotsecenv/dotsecenvaction - Terraform & OpenTofu – use dotsecenv as a Terraform credentials helper
