Pull secrets from your Keyway vault and export them as environment variables in your GitHub Actions workflows.
- Pull secrets from Keyway vault for any environment
- Export secrets as GitHub Actions environment variables
- Optionally write secrets to a
.envfile - Automatic secret masking in workflow logs
- Support for self-hosted/enterprise Keyway installations
- uses: keywaysh/keyway-action@v1
with:
token: ${{ secrets.KEYWAY_TOKEN }}Pull secrets and export as environment variables:
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: keywaysh/keyway-action@v1
with:
token: ${{ secrets.KEYWAY_TOKEN }}
- name: Use secrets
run: |
echo "Database: $DATABASE_URL"
./deploy.shjobs:
test:
runs-on: ubuntu-latest
steps:
- uses: keywaysh/keyway-action@v1
with:
token: ${{ secrets.KEYWAY_TOKEN }}
environment: staging
deploy:
runs-on: ubuntu-latest
steps:
- uses: keywaysh/keyway-action@v1
with:
token: ${{ secrets.KEYWAY_TOKEN }}
environment: cicd- uses: keywaysh/keyway-action@v1
with:
token: ${{ secrets.KEYWAY_TOKEN }}
env-file: .env
export-env: false- uses: keywaysh/keyway-action@v1
with:
# Required: Keyway authentication token
token: ${{ secrets.KEYWAY_TOKEN }}
# Vault environment (default: cicd)
environment: cicd
# Repository in owner/repo format (auto-detected)
repository: owner/repo
# Export secrets as GitHub env vars (default: true)
export-env: true
# Write secrets to .env file (optional)
env-file: .env
# Mask secret values in logs (default: true)
mask-values: true
# API URL for self-hosted (default: https://api.keyway.sh)
api-url: https://api.keyway.sh| Input | Description | Required | Default |
|---|---|---|---|
token |
Keyway API key or GitHub PAT | Yes | - |
environment |
Vault environment | No | cicd |
repository |
Repository (owner/repo) | No | Auto-detected |
export-env |
Export as env vars | No | true |
env-file |
Write to .env file | No | - |
mask-values |
Mask values in logs | No | true |
api-url |
Keyway API URL | No | https://api.keyway.sh |
| Output | Description |
|---|---|
secrets-count |
Number of secrets pulled |
environment |
Environment that was used |
API keys are the most secure option for CI/CD:
- Go to your Keyway Dashboard
- Click "Create Key" and select the
read:secretsscope - Copy the generated key (starts with
kw_live_...) - Add it as your
KEYWAY_TOKENsecret
Benefits of API keys:
- Scoped permissions (only what's needed)
- Optional expiration dates
- No access to your GitHub account
- Usage tracking and audit logs
- Create a fine-grained PAT with:
- Repository access: Select the repos you want to use with Keyway
- Permissions: Metadata → Read-only (no other permissions needed)
- Use this PAT as your
KEYWAY_TOKEN
- Run
npx @keywaysh/cli login --tokenand follow the prompts - The CLI will guide you through creating a GitHub PAT
- Use that same PAT as your
KEYWAY_TOKENin GitHub Actions
Note: Tokens from
keyway login(device flow without--token) are stored encrypted locally and cannot be easily extracted for CI/CD use. Use the--tokenflag to authenticate with a PAT you can reuse.
- Go to your repository Settings > Secrets and variables > Actions
- Click "New repository secret"
- Name:
KEYWAY_TOKEN - Value: Your Keyway token
- Click "Add secret"
name: Deploy
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: keywaysh/keyway-action@v1
with:
token: ${{ secrets.KEYWAY_TOKEN }}
environment: cicd
- uses: amondnet/vercel-action@v25
with:
vercel-token: ${{ env.VERCEL_TOKEN }}
vercel-org-id: ${{ env.VERCEL_ORG_ID }}
vercel-project-id: ${{ env.VERCEL_PROJECT_ID }}name: Build
on:
push:
branches: [main]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: keywaysh/keyway-action@v1
with:
token: ${{ secrets.KEYWAY_TOKEN }}
env-file: .env
- name: Build Docker image
run: docker build --secret id=env,src=.env -t myapp .name: Test
on: [push]
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
environment: [development, staging]
steps:
- uses: actions/checkout@v4
- uses: keywaysh/keyway-action@v1
with:
token: ${{ secrets.KEYWAY_TOKEN }}
environment: ${{ matrix.environment }}
- run: npm test- Verify your
KEYWAY_TOKENsecret is set correctly - Check if the token has expired
- Ensure the token has access to the repository
- Your API key needs the
read:secretsscope to pull secrets - Create a new API key with the correct scope in your Keyway Dashboard
- Run
keyway initlocally to create the vault first - Verify the repository name matches your Keyway vault
- Check your Keyway plan limits
- Verify you have access to the repository on GitHub
MIT