ghsecretman

module

v0.1.0 Latest Latest Go to latest Published: Apr 26, 2026 License: Apache-2.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/schmidtw/ghsecretman

Links

Open Source Insights

README ¶

ghsecretman

A tool for managing GitHub Actions secrets, Actions variables, and Dependabot secrets across an organization. Reads a YAML file describing the desired state at three scopes — organization-level, per-repo, and fan-out-to-all-repos — and reconciles it against GitHub via three subcommands: audit (read-only diff), apply (write managed values), and enforce (apply plus delete unlisted values, with --dry-run).

See the design and full requirements in PRD #1.

Install

Pre-built binaries for darwin and linux on amd64 and arm64 are attached to each release on the Releases page. Each release also publishes a *-checksums.txt file with SHA-512 sums of every artifact.

# Pick the asset that matches your platform, then:
tar xzf ghsecretman-<version>-<os>-<arch>.tar.gz
sudo install ghsecretman-<version>-<os>-<arch>/ghsecretman /usr/local/bin/

To build from source:

go install github.com/schmidtw/ghsecretman/cmd/ghsecretman@latest

ghsecretman version prints the version, commit, and build date stamped in at release time.

Quick Start

ghsecretman authenticates with a personal access token from GITHUB_TOKEN (preferred) or GH_TOKEN. The token needs the scopes required to read and write the secrets/variables you list in the YAML.

A minimal config (secrets.yml) for an audit against one repo:

github.com:
  example-org:
    per-repo:
      example-repo:
        managed:
          vars:
            APP_ENV:
              value: production

Run a read-only audit:

export GITHUB_TOKEN=ghp_...
ghsecretman audit --config secrets.yml --org example-org --repo example-repo

audit exits non-zero if any drift is found, so it is safe to run from CI as a drift detector. To write managed values, use apply; to also delete unlisted values, use enforce (which requires --yes for the destructive path or supports --dry-run for review).

Omit --repo to iterate every repo in the org concurrently; --concurrency bounds the worker pool.

Configuration

The full YAML schema (org, per-repo, all-repos, managed, ignored, value sources, precedence rules, org-level scope/repos) is documented in PRD #1. A complete annotated example lives in internal/schema/example.yml, and the same content is embedded in the binary — run ghsecretman example to print it, or ghsecretman example -o secrets.yml to write a starter config.

Top-level keys other than github.com: are ignored, so the same file can carry sections owned by other tools.

License

Apache-2.0. See LICENSE.

Directories ¶

Path	Synopsis
cmd
ghsecretman command Command ghsecretman manages GitHub secrets, variables, and Dependabot secrets across an organization from a YAML configuration file.	Command ghsecretman manages GitHub secrets, variables, and Dependabot secrets across an organization from a YAML configuration file.
internal
config
diff Package diff compares planned intents against observed live state.	Package diff compares planned intents against observed live state.
github Package github wraps the upstream go-github SDK with the narrow surface ghsecretman needs: list repo Actions variables (with values), list repo Actions secret names, and list repo Dependabot secret names.	Package github wraps the upstream go-github SDK with the narrow surface ghsecretman needs: list repo Actions variables (with values), list repo Actions secret names, and list repo Dependabot secret names.
plan Package plan turns a config model into a flat list of intended actions per (target, kind, name).	Package plan turns a config model into a flat list of intended actions per (target, kind, name).
resolve Package resolve turns a config.Entry into its concrete string value by reading from value, env, or file as the entry directs.	Package resolve turns a config.Entry into its concrete string value by reading from value, env, or file as the entry directs.
runner Package runner orchestrates an audit pass against a single repo.	Package runner orchestrates an audit pass against a single repo.
schema Package schema exposes the canonical annotated example YAML configuration for ghsecretman.	Package schema exposes the canonical annotated example YAML configuration for ghsecretman.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL