GitHub Secrets Manager
How to store secrets in GitHub
The GitHub secrets manager is a secrets manager flavor provided with the ZenML
githubintegration that uses GitHub secrets to store secrets.
We are deprecating secrets managers in favor of the centralized ZenML secrets store. Going forward, we recommend using the secrets store instead of secrets managers to configure and store secrets.
If you already use secrets managers to manage your secrets, please use the provided
zenml secrets-manager secrets migrateCLI command to migrate your secrets to the centralized secrets store.
We're not planning to support GitHub as a direct centralized secrets store back-end replacement for the GitHub secrets manager stack component because of its limitation of only allowing reading secret values when running inside a GitHub Actions workflow.
To continue using secrets, you may use any of the secrets store back-ends that the ZenML server supports, such as Google Secret Manager, Azure Key Vault, AWS Secrets Manager, HashiCorp Vault or even the ZenML SQL database. Simply configure your ZenML server to connect to one of these services directly as a back-end for the centralized secrets store and then use
zenml secretCLI commands to manage your secrets instead of
zenml secrets-manager secretCLI commands. You no longer need to register the GitHub secrets manager or add it to your active stack.
The GitHub secrets manager does not allow reading secret values unless it's running inside a GitHub Actions workflow. For this reason, this secrets manager only works in combination with a GitHub Actions orchestrator.
GitHub secrets are automatically enabled when creating a GitHub repository.
To use the GitHub secrets manager, we need:
- The ZenML
githubintegration installed. If you haven't done so, runzenml integration install github
- A personal access token to authenticate with the GitHub API. Follow this guide to create one and make sure to give it the
- Our GitHub username and the personal access token set as environment variables:export GITHUB_USERNAME=<GITHUB_USERNAME>export GITHUB_AUTHENTICATION_TOKEN=<PERSONAL_ACCESS_TOKEN>
- The owner and name of the repository that we want to add secrets to.
We can then register the secrets manager and use it in our active stack:
zenml secrets-manager register <NAME> \
# Add the secrets manager to the active stack
zenml stack update -x <NAME>
You can now register, update or delete secrets using the CLI or fetch secret values inside your steps.
For more information and a full list of configurable attributes of the GitHub secrets manager, check out the API Docs.