Skip to main content

GitHub Actions

Fetch secrets from Arcan and inject them as environment variables or write them to a .env file in your GitHub Actions workflows.

Usage

Fetch all secrets

steps:
  - uses: GetArcan/arcan-action@v1
    with:
      arcan_url: ${{ secrets.ARCAN_URL }}
      arcan_token: ${{ secrets.ARCAN_TOKEN }}
      realm: my-app
      env: prod

  - run: echo "Database is configured"
    # DATABASE_URL, API_KEY, etc. are now available as env vars

Fetch specific secrets

steps:
  - uses: GetArcan/arcan-action@v1
    with:
      arcan_url: ${{ secrets.ARCAN_URL }}
      arcan_token: ${{ secrets.ARCAN_TOKEN }}
      realm: my-app
      keys: DATABASE_URL,API_KEY,STRIPE_SECRET

  - run: npm test

Write to .env file

steps:
  - uses: GetArcan/arcan-action@v1
    with:
      arcan_url: ${{ secrets.ARCAN_URL }}
      arcan_token: ${{ secrets.ARCAN_TOKEN }}
      realm: my-app
      export_file: .env
      export_env: 'false'

  - run: docker compose up -d

Full workflow example

name: Deploy
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Load secrets
        uses: GetArcan/arcan-action@v1
        with:
          arcan_url: ${{ secrets.ARCAN_URL }}
          arcan_token: ${{ secrets.ARCAN_TOKEN }}
          realm: my-app
          env: prod
          keys: DATABASE_URL,REDIS_URL,API_KEY

      - name: Deploy
        run: ./deploy.sh

Inputs

InputRequiredDefaultDescription
arcan_urlYes--Arcan server URL
arcan_tokenYes--Arcan API token (arc_xxx or JWT)
realmYes--Realm slug
envNodevEnvironment (dev, staging, prod)
keysNo--Comma-separated keys. Fetches all if empty.
export_envNotrueExport secrets as environment variables
export_fileNo--Write secrets to a .env file at this path
insecureNofalseAllow self-signed TLS certificates (dev only)

Security

  • All secret values are automatically masked using ::add-mask:: so they never appear in workflow logs
  • Store your ARCAN_TOKEN as a GitHub Actions secret, never hardcode it
  • Use valid TLS certificates in production (not self-signed)
  • Set insecure: 'true' only for development servers with self-signed certificates
  • Use read-only tokens (arcan token create --scopes read) for applications that only need to read secrets
  • Enable audit logging on the Arcan server to track all secret access

Requirements

  • curl and jq (pre-installed on GitHub-hosted runners)
  • Network access to your Arcan server from the runner