orgstringrequired
secret_namestringrequired
secret_name parameter
Get an organization secret
Gets a single organization secret without revealing its encrypted value. You must authenticate using an access token with the admin:org scope to use this endpoint. GitHub Apps must have the secrets organization permission to use this endpoint.
get
{protocol}://{hostname}/api/v3/orgs/{org}/actions/secrets/{secret_name}
Path Parameters
Response
200 application/json
Response
200 application/json
Response
Actions Secret for an Organization
Secrets for GitHub Actions for an organization.
namestringrequired
The name of the secret.
Example:SECRET_TOKEN
created_atstring(date-time)required
updated_atstring(date-time)required
visibilitystringrequired
Visibility of a secret
Allowed values:allprivateselected
selected_repositories_urlstring(uri)
Example:https://api.github.com/organizations/org/secrets/my_secret/repositories
get/orgs/{org}/actions/secrets/{secret_name}
Path Parameters
200 application/json
Create or update an organization secret
Creates or updates an organization secret with an encrypted value. Encrypt your secret using
LibSodium. You must authenticate using an access
token with the admin:org scope to use this endpoint. GitHub Apps must have the secrets organization permission to
use this endpoint.
Example encrypting a secret using Node.js
Encrypt your secret using the tweetsodium library.
const sodium = require('tweetsodium');
const key = "base64-encoded-public-key";
const value = "plain-text-secret";
// Convert the message and key to Uint8Array's (Buffer implements that interface)
const messageBytes = Buffer.from(value);
const keyBytes = Buffer.from(key, 'base64');
// Encrypt using LibSodium.
const encryptedBytes = sodium.seal(messageBytes, keyBytes);
// Base64 the encrypted secret
const encrypted = Buffer.from(encryptedBytes).toString('base64');
console.log(encrypted);
Example encrypting a secret using Python
Encrypt your secret using pynacl with Python 3.
from base64 import b64encode
from nacl import encoding, public
def encrypt(public_key: str, secret_value: str) -> str:
"""Encrypt a Unicode string using the public key."""
public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder())
sealed_box = public.SealedBox(public_key)
encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
return b64encode(encrypted).decode("utf-8")
Example encrypting a secret using C#
Encrypt your secret using the Sodium.Core package.
var secretValue = System.Text.Encoding.UTF8.GetBytes("mySecret");
var publicKey = Convert.FromBase64String("2Sg8iYjAxxmI2LvUXpJjkYrMxURPc8r+dB7TJyvvcCU=");
var sealedPublicKeyBox = Sodium.SealedPublicKeyBox.Create(secretValue, publicKey);
Console.WriteLine(Convert.ToBase64String(sealedPublicKeyBox));
Example encrypting a secret using Ruby
Encrypt your secret using the rbnacl gem.
require "rbnacl"
require "base64"
key = Base64.decode64("+ZYvJDZMHUfBkJdyq5Zm9SKqeuBQ4sj+6sfjlH4CgG0=")
public_key = RbNaCl::PublicKey.new(key)
box = RbNaCl::Boxes::Sealed.from_public_key(public_key)
encrypted_secret = box.encrypt("my_secret")
# Print the base64 encoded secret
puts Base64.strict_encode64(encrypted_secret)
put
{protocol}://{hostname}/api/v3/orgs/{org}/actions/secrets/{secret_name}
Path Parameters
orgstringrequired
secret_namestringrequired
secret_name parameter
Body
application/json
Body
application/json
encrypted_valuestring
Value for your secret, encrypted with LibSodium using the public key retrieved from the Get an organization public key endpoint.
Match pattern:^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$
key_idstring
ID of the key you used to encrypt the secret.
visibilitystringrequired
Configures the access that repositories have to the organization secret. Can be one of:
- all - All repositories in an organization can access the secret.
- private - Private repositories in an organization can access the secret.
- selected - Only specific repositories can access the secret.
Allowed values:allprivateselected
selected_repository_idsarray[string]
An array of repository ids that can access the organization secret. You can only provide a list of repository ids when the visibility is set to selected. You can manage the list of selected repositories using the List selected repositories for an organization secret, Set selected repositories for an organization secret, and Remove selected repository from an organization secret endpoints.
Response
application/json
Response
application/json
Response when creating a secret
Empty Object
Empty Objectobject
An object without any properties.
* Additional properties are NOT allowed.
put/orgs/{org}/actions/secrets/{secret_name}
Path Parameters
Body
{
"encrypted_value": "c2VjcmV0",
"key_id": "012345678912345678",
"visibility": "selected",
"selected_repository_ids": [
"1296269",
"1296280"
]
}
application/json
Delete an organization secret
Deletes a secret in an organization using the secret name. You must authenticate using an access token with the admin:org scope to use this endpoint. GitHub Apps must have the secrets organization permission to use this endpoint.
delete
{protocol}://{hostname}/api/v3/orgs/{org}/actions/secrets/{secret_name}
Path Parameters
orgstringrequired
secret_namestringrequired
secret_name parameter
Response
204
Response
204
Response
delete/orgs/{org}/actions/secrets/{secret_name}
Path Parameters
204
List selected repositories for an organization secret
Lists all repositories that have been selected when the visibility for repository access to a secret is set to selected. You must authenticate using an access token with the admin:org scope to use this endpoint. GitHub Apps must have the secrets organization permission to use this endpoint.
get
{protocol}://{hostname}/api/v3/orgs/{org}/actions/secrets/{secret_name}/repositories
Query Parameters
pageinteger
Page number of the results to fetch.
Default:1
per_pageinteger
Results per page (max 100)
Default:30
Path Parameters
orgstringrequired
secret_namestringrequired
secret_name parameter
Response
200 application/json
Response
200 application/json
Response
total_countintegerrequired
repositoriesarray[object]required
Minimal Repository
Show Child Parameters
get/orgs/{org}/actions/secrets/{secret_name}/repositories
Path Parameters
Query Parameters
200 application/json
Set selected repositories for an organization secret
Replaces all repositories for an organization secret when the visibility for repository access is set to selected. The visibility is set when you Create or update an organization secret. You must authenticate using an access token with the admin:org scope to use this endpoint. GitHub Apps must have the secrets organization permission to use this endpoint.
put
{protocol}://{hostname}/api/v3/orgs/{org}/actions/secrets/{secret_name}/repositories
Path Parameters
orgstringrequired
secret_namestringrequired
secret_name parameter
Body
application/json
Body
application/json
selected_repository_idsarray[integer]required
An array of repository ids that can access the organization secret. You can only provide a list of repository ids when the visibility is set to selected. You can add and remove individual repositories using the Set selected repositories for an organization secret and Remove selected repository from an organization secret endpoints.
Response
204
Response
204
Response
put/orgs/{org}/actions/secrets/{secret_name}/repositories
Path Parameters
Body
{
"selected_repository_ids": [
64780797
]
}
204