Creates or updates an organization secret with an encrypted value. Encrypt your secret using LibSodium. You must authenticate using an access token with the admin:org scope to use this endpoint. GitHub Apps must have the secrets organization permission to use this endpoint.
PUT /orgs/:org/actions/secrets/:secret_name
| Name | Type | Description |
|---|---|---|
encrypted_value |
string |
Value for your secret, encrypted with LibSodium using the public key retrieved from the Get an organization public key endpoint. |
key_id |
string |
ID of the key you used to encrypt the secret. |
visibility |
string |
Configures the access that repositories have to the organization secret. Can be one of: - all - All repositories in an organization can access the secret.- private - Private repositories in an organization can access the secret.- selected - Only specific repositories can access the secret. |
selected_repository_ids |
array of strings |
An array of repository ids that can access the organization secret. You can only provide a list of repository ids when the visibility is set to selected. You can manage the list of selected repositories using the List selected repositories for an organization secret, Set selected repositories for an organization secret, and Remove selected repository from an organization secret endpoints. |
Encrypt your secret using the tweetsodium library.
const sodium = require('tweetsodium');
const key = "base64-encoded-public-key";
const value = "plain-text-secret";
// Convert the message and key to Uint8Array's (Buffer implements that interface)
const messageBytes = Buffer.from(value);
const keyBytes = Buffer.from(key, 'base64');
// Encrypt using LibSodium.
const encryptedBytes = sodium.seal(messageBytes, keyBytes);
// Base64 the encrypted secret
const encrypted = Buffer.from(encryptedBytes).toString('base64');
console.log(encrypted);
Encrypt your secret using pynacl with Python 3.
from base64 import b64encode
from nacl import encoding, public
def encrypt(public_key: str, secret_value: str) -> str:
"""Encrypt a Unicode string using the public key."""
public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder())
sealed_box = public.SealedBox(public_key)
encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
return b64encode(encrypted).decode("utf-8")
Encrypt your secret using the Sodium.Core package.
var secretValue = System.Text.Encoding.UTF8.GetBytes("mySecret");
var publicKey = Convert.FromBase64String("2Sg8iYjAxxmI2LvUXpJjkYrMxURPc8r+dB7TJyvvcCU=");
var sealedPublicKeyBox = Sodium.SealedPublicKeyBox.Create(secretValue, publicKey);
Console.WriteLine(Convert.ToBase64String(sealedPublicKeyBox));
Encrypt your secret using the rbnacl gem.
require "rbnacl"
require "base64"
key = Base64.decode64("+ZYvJDZMHUfBkJdyq5Zm9SKqeuBQ4sj+6sfjlH4CgG0=")
public_key = RbNaCl::PublicKey.new(key)
box = RbNaCl::Boxes::Sealed.from_public_key(public_key)
encrypted_secret = box.encrypt("my_secret")
# Print the base64 encoded secret
puts Base64.strict_encode64(encrypted_secret)
{
"encrypted_value": "****************************************************************************************",
"key_id": "012345678912345678",
"visibility": "selected",
"selected_repository_ids": [
1296269,
1296280
]
}
Status: 201 Created
Status: 204 No Content