Skip to content

CI/CD Secrets

Access dotsecenv-managed secrets in a GitHub Actions workflow so your CI/CD pipeline can use them without storing plaintext credentials in your repo.

  • Getting Started completed
  • A GitHub repository with Actions enabled
  • A GPG key dedicated to CI (recommended: dotsecenv identity create --name "CI Bot" --email "ci@example.com" --no-passphrase)
  1. Export your CI GPG private key

    Export the ASCII-armored private key directly. Do not base64-encode it; the armor format is already plain ASCII and gpg --import reads it as-is.

    Terminal window
    gpg --armor --export-secret-keys ci@example.com > ci-key.asc
  2. Add it as a GitHub secret

    Go to your repository: Settings > Secrets and variables > Actions > New repository secret

    • Name: GPG_PRIVATE_KEY
    • Value: paste the contents of ci-key.asc

    Or use the gh CLI:

    Terminal window
    gh secret set GPG_PRIVATE_KEY < ci-key.asc
  3. Create a workflow file

    Create .github/workflows/build.yml:

    name: Build
    on:
    push:
    branches: [main]
    permissions:
    contents: read
    jobs:
    build:
    runs-on: ubuntu-latest
    env:
    GNUPGHOME: ${{ runner.temp }}/gnupg
    steps:
    - uses: actions/checkout@v4
    - uses: dotsecenv/dotsecenv@v0
    with:
    version: latest
    verify-provenance: true
    - name: Import GPG key
    env:
    GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
    run: |
    mkdir -p "$GNUPGHOME"
    chmod 700 "$GNUPGHOME"
    echo "$GPG_PRIVATE_KEY" | gpg --batch --import
    # Capture the fingerprint of the imported key for login.
    FP=$(gpg --list-secret-keys --with-colons \
    | awk -F: '/^fpr:/ { print $10; exit }')
    echo "DOTSECENV_FP=$FP" >> "$GITHUB_ENV"
    - name: Initialise dotsecenv and log in
    run: |
    dotsecenv init config -v .dotsecenv/vault
    dotsecenv login "$DOTSECENV_FP"
    - name: Use secrets
    run: |
    DATABASE_PASSWORD=$(dotsecenv secret get DATABASE_PASSWORD)
    echo "Secret retrieved successfully"
    # Use $DATABASE_PASSWORD in your build/deploy steps
  4. Commit and push

    Terminal window
    git add .github/workflows/build.yml
    git commit -m "ci: add dotsecenv secrets to build workflow"
    git push
  5. Verify the workflow

    Go to Actions in your repository. The workflow should complete successfully with “Secret retrieved successfully” in the logs.

If your project has a .secenv file, you can load all secrets at once:

- name: Load secrets from .secenv
run: |
eval "$(dotsecenv env load)"
# All .secenv variables are now available

The pattern is the same. Store the ASCII-armored GPG key as a CI/CD variable named GPG_PRIVATE_KEY (type “File” or “Variable”; do not base64-encode it), then:

build:
image: ubuntu:latest
before_script:
- curl -fsSL https://get.dotsecenv.com/install.sh | bash -s -- --no-install-shell-plugin
- echo "$GPG_PRIVATE_KEY" | gpg --batch --import
- dotsecenv init config -v .dotsecenv/vault
- FP=$(gpg --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }')
- dotsecenv login "$FP"
script:
- DATABASE_PASSWORD=$(dotsecenv secret get DATABASE_PASSWORD)
- echo "Secret available in pipeline"