GitHub Action

Overview

The PassBox GitHub Action injects secrets from your vault into your CI/CD pipeline as environment variables. All secrets are masked in logs automatically.

Setup

1. Create a Service Token

passbox token create --name "github-actions" --permissions read

2. Add Token to GitHub Secrets

Go to your repo’s Settings > Secrets and variables > Actions and add:

Name: PASSBOX_TOKEN
Value: pb_your_service_token

3. Use in Workflow

name: Deploy
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Inject secrets
        uses: Paparusi/passbox@main
        with:
          token: ${{ secrets.PASSBOX_TOKEN }}
          vault: my-app
          environment: production

      - name: Deploy
        run: |
          echo "Deploying with secrets..."
          # DATABASE_URL, API_KEY, etc. are now in $GITHUB_ENV
          npm run deploy

Inputs

Input	Required	Default	Description
`token`	Yes	—	PassBox service token (`pb_...`)
`vault`	No	—	Vault name or ID (uses default if omitted)
`environment`	No	—	Environment name (e.g., `production`)
`secrets`	No	—	Specific secrets (comma-separated). Injects all if omitted.
`export-env`	No	`true`	Export secrets as environment variables
`env-file`	No	—	Write secrets to a `.env` file at this path
`server`	No	`https://api.passbox.dev`	PassBox server URL

Examples

Inject All Secrets

- uses: Paparusi/passbox@main
  with:
    token: ${{ secrets.PASSBOX_TOKEN }}
    vault: my-app
    environment: production

Inject Specific Secrets

- uses: Paparusi/passbox@main
  with:
    token: ${{ secrets.PASSBOX_TOKEN }}
    vault: my-app
    secrets: DATABASE_URL,API_KEY,REDIS_URL

Write to .env File

- uses: Paparusi/passbox@main
  with:
    token: ${{ secrets.PASSBOX_TOKEN }}
    vault: my-app
    environment: production
    export-env: 'false'
    env-file: .env.production

Multiple Environments

jobs:
  deploy-staging:
    runs-on: ubuntu-latest
    steps:
      - uses: Paparusi/passbox@main
        with:
          token: ${{ secrets.PASSBOX_TOKEN }}
          vault: my-app
          environment: staging

  deploy-production:
    runs-on: ubuntu-latest
    needs: deploy-staging
    steps:
      - uses: Paparusi/passbox@main
        with:
          token: ${{ secrets.PASSBOX_TOKEN }}
          vault: my-app
          environment: production

Self-Hosted Server

- uses: Paparusi/passbox@main
  with:
    token: ${{ secrets.PASSBOX_TOKEN }}
    vault: my-app
    server: https://your-passbox-server.com

Security

All secret values are registered with core.setSecret(), so they are masked in logs
Secrets are exported via core.exportVariable(), available as $GITHUB_ENV
The service token should have read permission only
Use GitHub’s environment protection rules for production deployments