Integrate with GitHub Actions

HCP Vault Secrets allows users to automatically synchronize application secrets to GitHub. This guide walks you through the configuration process.

Prerequisites:

Permissions to install GitHub applications
An Admin role in an HCP Project
An HCP Vault Secrets application and secret(s)

Configuration

Navigate to the HCP Vault Secrets app you would like to integrate with GitHub. From the sidebar, select Integrations then click on the GitHub Actions card to initiate the setup in a second window.
Select where you want to install the HCP Vault Secrets GitHub application.
Select the repositories you want to authorize HCP Vault Secrets to access. You can modify the list of authorized repositories at any time.
Click Install & Authorize to complete the installation. The window will close and the installation process will complete automatically on the HashiCorp Cloud Platform.
Note
If the installation process encounters an unexpected error, you can always uninstall the GitHub application in your GitHub settings and try again.

You will be presented with three fields:

GitHub Account is the GitHub account of the user where the GitHub application was installed.
Repository is the list of repositories that HCP Vault Secrets is authorized to access. You can remove or add repositories at any time via your GitHub account settings.
Environment is the list of environments within your GitHub repository. This is an optional field, if you want to sync secrets to a specific environment. You can remove or add environments at any time via your GitHub repository settings.

Personal Integration - GitHub Action

You will be presented with two fields:

GitHub Account is the GitHub organization where the GitHub application was installed.
Sync scope is the destination in GitHub where the secrets will be synced. You can choose between Repository or Organization. repositories at any time via your GitHub account settings.
If you choose Organization as your sync scope, you have the option of selecting "Private repositories" to only allow access to private repositories, or "Public repositories" to allow access to public repositories of your organization, or "Selected repositories" for granular control.
If you choose Repository as your sync scope, you can select the repository, along with an optional environment where you want to sync your app's secrets.

Org Integration - GitHub Action

Once all required fields are populated, click Save and sync secrets to complete the configuration process. It will immediately sync all your existing app secrets to the specified scope of the GitHub Account.

Permission Update

If you currently use the HCP Vault Secrets GitHub application to sync secrets your GitHub repositories, and you want to sync secrets to your GitHub organization or environments, accept the new permissions on GitHub first. This will allow the GitHub application to sync secrets to the new scopes. Otherwise, you may encounter an "Unauthorized" error when syncing secrets.

Multi-account support

You can now add multiple GitHub sync integrations that connect to different GitHub accounts to your HCP Vault Secrets application.

Navigate to your Vault Secrets Application in the HCP Portal.
Click on the Integrations tab.
Under Active integrations, you will see the GitHub Actions card.
Click Manage.
Click Add Sync Integration.
Proceed with the rest of the form to add a sync integration to a different GitHub account.

You can also connect multiple HCP Vault Secrets applications to the same GitHub account.

Navigate to your Vault Secrets Application in the HCP Portal.
Click on the Integrations tab.
Click on the GitHub Actions card.
Authorize the GitHub application so that it can access the GitHub installations you already have access to.
Then in the GitHub Account dropdown, select the account under GitHub accounts with HCP Vault Secrets installed.
Once the account is selected, proceed with the rest of the form to add a sync integration to the selected GitHub account.

Limitations

You can only create new GitHub sync integrations from HCP Vault Secrets, and they cannot be triggered from the GitHub marketplace.