Skip to content

gerrywastaken/github-secrets-exporter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

64 Commits
.github
.github
 
 
ADVANCED.md
ADVANCED.md
 
 
CLAUDE.md
CLAUDE.md
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 
export-secrets.sh
export-secrets.sh
 
 

Repository files navigation

GitHub Secrets Exporter

Securely export your GitHub repository secrets. They're encrypted with your personal key, so only you can decrypt them.

WARNING: If you are here because somebody is trying to add this to your repository. STOP! They are a almost certainly a scammer. Delete their PR.

Additionally nobody (not even you) ever needs to merge a pr with this in a workflow. It is for temporary use only by repository OWNERS and by design does not and should not be merged.

Why?

GitHub Actions secrets are write-only by design. You can't read them through the UI or API. This makes it hard do things like:

  • Audit what's currently set
  • Recover a secret if Github is your last hope

This action lets you export all secrets safely by encrypting them with your public key.

Quick Start

Want maximum security? See ADVANCED.md for forking and auditing the code yourself.

1. Install dependencies

  • age (encryption tool)
  • gh (Optional, you can do things manually, but it helps)

2. Generate your encryption key

TEMP_DIR=$(mktemp -d) # Use mktemp for secure storage (auto-deleted by system)
PRIVATE_KEY="$TEMP_DIR/private.key"
age-keygen -o "$PRIVATE_KEY"

This prints your public key - (the age1... part). Add the public key to the workflow in the ext step!

3. Create the workflow file

Create:
.github/workflows/export-secrets.yml

name: Export Secrets
on: pull_request

jobs:
  export:
    runs-on: ubuntu-latest
    steps:
      - uses: gerrywastaken/github-secrets-exporter@v1.1
        with:
          secrets_json: ${{ toJSON(secrets) }}
          public_encryption_key: '<age1...>'  # Paste your public key here

4. Create a PR to trigger the workflow

git checkout -b export-secrets
git add .github/workflows/export-secrets.yml
git commit -m "DO NOT MERGE: Export secrets"
git push -u origin export-secrets
gh pr create --fill

5. Download and delete the encrypted artifact

This opens an interactive menu to select and view your workflow run

gh run view --web

This opens an interactive menu where you can:

  1. Select your "Export Secrets" workflow run
  2. Browser opens click summary and Scroll to bottom
  3. Download then delete the encrypted-secrets artifact

6. Decrypt your secrets

All sensitive data files live inside the temp dir so that it is easy to delete

pushd $TEMP_DIR # Move to the temp dir
mv ~/Downloads/encrypted-secrets.zip $TEMP_DIR
unzip encrypted-secrets.zip

age --decrypt --identity "$PRIVATE_KEY" < encrypted-secrets.age > plaintext.json
popd    # jumps back to the repo

echo -e "\n\n\n\n\nYour recovered secrets inside a plaintext file 🎉"
echo "_______________________________________"
echo "${TEMP_DIR}/plaintext.json"
echo "_______________________________________"
echo -e "Make sure to move them somewhere secure because\nwe are about to delete this directory! \n\n\n"

7. Final cleanup

gh pr close -d export-secrets    # Closes the PR and delete remote and local branch
rm -rf "$TEMP_DIR"               # Delete temporary files

Security

  • Your public key is inline in the workflow (visible, auditable)
  • Encrypted secrets stored as artifact with 1-day retention (not logs)
  • Private key stored in mktemp (auto-cleanup by system, never in git)
  • See ADVANCED.md for the paranoid version

License

MIT

About

Securely export GitHub Actions secrets encrypted with age

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

Just updating the readme to be more clear Latest
Nov 28, 2025

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages