This GitHub Action enables you to import secrets from Infisical—whether hosted in the cloud or self-hosted—directly into your GitHub workflows.
method to aws-iam and configure the identity-id input parameter.- uses: Infisical/secrets-action@v1.0.9
with:
method: "aws-iam"
identity-id: "24be0d94-b43a-41c4-812c-1e8654d9ce1e"
domain: "https://app.infisical.com" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance
env-slug: "dev"
project-slug: "cli-integration-tests-9-edj"
method to oidc and configure the identity-id input parameter. Optionally, customize the JWT's aud field by setting the oidc-audience input parameter.id-token: write to the permissions for your workflow:permissions:
id-token: write
contents: read
client_id and client_secret and store them as Github secrets (recommended) or environment variables.client-id and client-secret input parameters.With this action, you can use your Infisical secrets in two ways: as environment variables or as a file.
Secrets are injected as environment variables and can be referenced by subsequent workflow steps.
- uses: Infisical/secrets-action@v1.0.9
with:
method: "oidc"
identity-id: "24be0d94-b43a-41c4-812c-1e8654d9ce1e"
domain: "https://app.infisical.com" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance
env-slug: "dev"
project-slug: "cli-integration-tests-9-edj"
Exports secrets to a file in your GITHUB_WORKSPACE, useful for applications that read from .env files.
- uses: Infisical/secrets-action@v1.0.9
with:
method: "oidc"
identity-id: "24be0d94-b43a-41c4-812c-1e8654d9ce1e"
domain: "https://app.infisical.com" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance
env-slug: "dev"
project-slug: "cli-integration-tests-9-edj"
export-type: "file"
file-output-path: "/src/.env" # defaults to "/.env"
Note: Make sure to configure an actions/checkout step before using this action in file export mode
steps:
- name: Checkout code
uses: actions/checkout@v4
methodOptional. The authentication method to use. Defaults to universal. Possible values are universal, oidc, and aws-iam
client-idOptional. Machine Identity client ID
client-secretOptional. Machine Identity secret key
identity-idOptional. Machine Identity ID
oidc-audienceOptional. Custom aud claim for the signed Github ID token
project-slugRequired. Source project slug
env-slugRequired. Source environment slug
domainOptional. Infisical URL. Defaults to https://app.infisical.com. If you're using Infisical EU (https://eu.infisical.com) or a self-hosted/dedicated instance, you will need to set the appropriate value for this field.
export-typeOptional. If set to env, it will set the fetched secrets as environment variables for subsequent steps of a workflow. If set to file, it will export the secrets in a .env file in the defined file-output-path. Defaults to env
file-output-pathOptional. The path to save the file when export-type is set to file. Defaults to /.env
secret-pathOptional. Source secret path. Defaults to /. Example: /my-secret-path.
include-importsOptional. If set to true, it will include imported secrets. Defaults to true
recursiveOptional. If set to true, it will fetch all secrets from the specified base path and all of its subdirectories. Defaults to false
extra-headersOptional. You can optionally provide extra headers that will be included in every request made to Infisical. This is useful if your Infisical instance is behind a header-based firewall.
Example:
extra-headers: |
Example-Header: Header-Value
X-Request-Id: 1234567890
X-Authentication-Secret: ${{ secrets.AUTH_SECRET }}
When your Infisical instance uses an internal Certificate Authority (CA) that isn't trusted by default in GitHub Actions runners, you'll need to configure the action to recognize your custom CA certificate.
ca-certificate.pem) in your repository root or .github/ directoryjobs:
your-job-name:
runs-on: ubuntu-latest
env:
NODE_EXTRA_CA_CERTS: ./ca-certificate.pem # Path to your CA certificate
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Infisical Secrets
uses: Infisical/secrets-action@v1.0.12
with:
method: "universal"
domain: "https://<infisical instance url>" # Your internal Infisical domain
# rest of the parameters
$ claude mcp add secrets-action \
-- python -m otcore.mcp_server <graph>