GitHub Secrets Sync

A CLI tool to batch sync GitHub Actions secrets across multiple repositories. Sync secrets from a central repository to target repositories using GitHub CI.

Why?

Managing GitHub Actions secrets across multiple repositories can be tedious:

• Manual repetition: You need to manually add the same secret to each repository
• Error-prone: Easy to forget to update a secret in one of the repositories

This tool automates the process, allowing you to sync secrets across multiple repositories with a single command.

Usage

Create a configuration file (secrets.config.yaml) in your central repository or local directory:

repos:
  - owner/vscode-*

envs:
  - VSCE_PAT
  - OVSX_PAT

Note

Both repos and envs support * wildcards. For repos, the tool lists all repositories accessible by your token and filters by the pattern (e.g., owner/vscode-*). For envs, wildcards are expanded by listing secrets from the central repository and matching by name. The central repository is auto-detected in GitHub Actions (from the checked-out repo); for local runs, pass --repo <owner/repo>.

Local usage

If GitHub CI feels too complex, you can simply run it locally:

# Set your token and secret values in env
export GITHUB_PAT=...
export VSCE_PAT=...
export OVSX_PAT=...

npx gh-secrets-sync

GitHub CI usage

Set up GitHub CI in your central repository:

# .github/workflows/sync-secrets.yml
name: Sync Secrets

permissions:
  contents: write

on:
  push:
    branches: [main]
  schedule:
    - cron: '0 0 * * *'
  workflow_dispatch:

jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set node
        uses: actions/setup-node@v4
        with:
          node-version: lts/*

      - name: Sync Secrets
        # if regex patterns are used in `repos` or `secrets` must set `--yes` in GitHub Actions
        run: npx gh-secrets-sync --yes
        env:
          GITHUB_PAT: ${{secrets.GITHUB_PAT}}
          VSCE_PAT: ${{secrets.VSCE_PAT}}
          OVSX_PAT: ${{secrets.OVSX_PAT}}

Configure secrets in your central repository:

• Go to your central repository Settings > Secrets and variables > Actions
• Add GITHUB_PAT as a repository secret (this is your GitHub Personal Access Token)
• Add VSCE_PAT and OVSX_PAT as repository secrets

How to Get Your GitHub Token

1. Go to GitHub Personal Access Tokens
2. Click "Generate new token"
3. Give it a descriptive name like "Secrets Sync Tool"
4. Select the required scopes:
   • Repository permissions > Secrets: Read and write
   • Repository permissions > Actions: Read and write
   • Metadata
5. Click "Generate token"
6. Add the token as a repository secret named GITHUB_PAT in your central repository

License

MIT License © jinghaihan