This GitHub Actions gets an Infisical token from the cloud or self-hosted infisical instance and injects it into the env as env.INFISICAL_TOKEN
- In order to use this, you will need to configure a Machine Identity for your project.
- This action supports three ways to authenticate your workflows with Infisical - AWS IAM Auth, OIDC and universal auth.
- Configure a machine identity to use the "AWS Auth" method. Set the allowed principal ARNs, account IDs, and other settings as needed for your setup. Refer to the setup guide here.
- Get the machine identity's ID.
- Set
methodto aws-iam and configure theidentity-idinput parameter. - Your GitHub Action runner must have access to AWS credentials (either through IAM roles, environment variables, or other AWS credential providers).
- Ensure your runner has network access to AWS STS API endpoints.
- uses: Rikthepixel/infisical-token-action@v1.0.2
with:
method: "aws-iam"
identity-id: "24be0d94-b43a-41c4-812c-1e8654d9ce1e"
domain: "https://app.infisical.com" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance- Configure a machine identity to use the "OIDC Auth" method. Set the bound audience, bound subject, and bound claims as needed for your setup. Refer to the setup guide here.
- Get the machine identity's ID.
- Set
methodto oidc and configure theidentity-idinput parameter. Optionally, customize the JWT's aud field by setting theoidc-audienceinput parameter. - For debugging OIDC configuration issues, you can use GitHub's actions-oidc-debugger tool. This tool helps you inspect the JWT claims and verify they match your configuration.
- Add
id-token: writeto the permissions for your workflow:
permissions:
id-token: write
contents: read
- uses: Rikthepixel/infisical-token-action@v1.0.2
with:
method: "oidc"
identity-id: "24be0d94-b43a-41c4-812c-1e8654d9ce1e"
domain: "https://app.infisical.com" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance- Configure a machine identity to have an auth method of "Universal Auth".
- Get the machine identity's
client_idandclient_secretand store them as Github secrets (recommended) or environment variables. - Set the
client-idandclient-secretinput parameters.
- uses: Rikthepixel/infisical-token-action@v1.0.2
with:
client_id: ${{ env.client_id }}
client_secret: ${{ env.client_secret }}
domain: "https://app.infisical.com" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instanceThe INFISICAL_TOKEN is injected as an environment variable and can be referenced by subsequent workflow steps.
- uses: Rikthepixel/infisical-token-action@v1.0.2
with:
method: "oidc"
identity-id: "24be0d94-b43a-41c4-812c-1e8654d9ce1e"
domain: "https://app.infisical.com" # Update to the instance URL when using EU (https://eu.infisical.com), a dedicated instance, or a self-hosted instance
- name: Example
run: echo "${{ env.INFISICAL_TOKEN }}"Optional. The authentication method to use. Defaults to universal. Possible values are universal, oidc, and aws-iam
Optional. Machine Identity client ID
Optional. Machine Identity secret key
Optional. Machine Identity ID
Optional. Custom aud claim for the signed Github ID token
Optional. Infisical URL. Defaults to https://app.infisical.com. If you're using Infisical EU (https://eu.infisical.com) or a self-hosted/dedicated instance, you will need to set the appropriate value for this field.
Optional. You can optionally provide extra headers that will be included in every request made to Infisical. This is useful if your Infisical instance is behind a header-based firewall.
Example:
extra-headers: |
Example-Header: Header-Value
X-Request-Id: 1234567890
X-Authentication-Secret: ${{ secrets.AUTH_SECRET }}All credit goes to the Infisical team for creating the infisical/secrets-action. This is simply a fork that has been modified to fit my needs.