github-action-detect-unused-secrets
GitHub Action that detects unused secrets. Checks which secrets are used in workflows with those defined in the repository settings.
Usage
Configure this action in your workflows providing the input described below and following the instructions.
Inputs
input | required | default | description |
---|---|---|---|
github-token |
no | ${{ github.token }} |
The generated token or your personal access token with repo scope. |
Note that the default
secrets.GITHUB_TOKEN
does not have the required permissions, you need to either use a generated token or a personal access token with repo scope.
Create and Install a GitHub App
You need to create a GitHub App within your organisation with permission to secrets: read-only
and install it on the repo where you want to use this action. Save the APP_ID
and generated PRIVATE_KEY
to the secrets under your organisation or repo.
This action uses the list repository secrets endpoint and your GitHub App must have the secrets
repository permission to use this endpoint.
Note that you can skip this step if you use a personal access token with
repo
scope and reference it asgithub-token
uses: tibdex/github-app-token@v1
Required
This step is used when secrets.GITHUB_TOKEN
's limitations are too restrictive and a personal access token is not suitable.
The default secrets.GITHUB_TOKEN
has limited permissions click here for more information, this step is generating a new token.
APP_ID
and PRIVATE_KEY
are required inputs, which have been generated by installing a GitHub App
- name: Generate token
id: generate_token
uses: tibdex/github-app-token@v1
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.PRIVATE_KEY }}
Note that you can skip this step if you use a personal access token with
repo
scope and reference it as github-token
uses: actions/checkout@v3
Required Allows access to the content of the workflow files
Example usage
The example below runs the action every Monday at 10am, also allows to trigger it manually.
Generates a token
Check out the code
And finally runs the github-action-detect-unused-secrets
with the generated token.
name: detect-unused-secrets
on:
workflow_dispatch:
schedule:
- cron: '0 10 * * MON'
jobs:
setup:
runs-on: ubuntu-latest
steps:
- name: Generate token
id: generate_token
uses: tibdex/github-app-token@v1
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.PRIVATE_KEY }}
- name: Checkout Code
uses: actions/checkout@v3
- name: Detect unused secrets
uses: nearform-actions/github-action-detect-unused-secrets@v1
with:
github-token: ${{ steps.generate_token.outputs.token }}