GitHub Actions - Manual Setup

For a faster setup experience, use the automated setup which handles everything from the dashboard with one click.

Using the Action

The SikkerKeyOfficial/setup-sikkerkey action installs the CLI, configures the machine identity, and optionally exports secrets as masked environment variables.

name: Deploy
on: push

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: SikkerKeyOfficial/setup-sikkerkey@v1
        with:
          vault-id: ${{ secrets.SIKKERKEY_VAULT_ID }}
          project-id: ${{ secrets.SIKKERKEY_PROJECT_ID }}
          machine-id: ${{ secrets.SIKKERKEY_MACHINE_ID }}
          private-key: ${{ secrets.SIKKERKEY_PRIVATE_KEY }}
          export: true

      - run: echo "Database is $DB_CREDS_HOST"

All exported values are automatically masked in logs via ::add-mask::.

Setup

1. Bootstrap a CI machine

From the dashboard, go to Machines and click + Validate. Select the CI/CD tab and copy the command. Run it on any machine with openssl and curl:

curl -sSL https://api.sikkerkey.com/v1/bootstrap/YOUR_TOKEN/ci | sh

This generates a keypair locally, registers the public key with SikkerKey, and prints the credentials:

SIKKERKEY_VAULT_ID=vault_abc123
SIKKERKEY_MACHINE_ID=9daae125-1f61-4eca-bde6-70aaa40db018

SIKKERKEY_PRIVATE_KEY:
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIHN...
-----END PRIVATE KEY-----

2. Add GitHub Secrets

In your repository, go to Settings > Secrets and variables > Actions and create four separate repository secrets:

Each secret must be created individually with its own name and value.

3. Approve and grant access

The machine appears as pending in the dashboard. Approve it, add it to your project, and grant it access to the secrets your workflow needs.

Inputs

Outputs

Examples

Export with prefix

- uses: SikkerKeyOfficial/setup-sikkerkey@v1
  with:
    vault-id: ${{ secrets.SIKKERKEY_VAULT_ID }}
    project-id: ${{ secrets.SIKKERKEY_PROJECT_ID }}
    machine-id: ${{ secrets.SIKKERKEY_MACHINE_ID }}
    private-key: ${{ secrets.SIKKERKEY_PRIVATE_KEY }}
    export: true
    export-prefix: APP_

- run: echo "$APP_DATABASE_PASSWORD"

Use the CLI directly

- uses: SikkerKeyOfficial/setup-sikkerkey@v1
  with:
    vault-id: ${{ secrets.SIKKERKEY_VAULT_ID }}
    project-id: ${{ secrets.SIKKERKEY_PROJECT_ID }}
    machine-id: ${{ secrets.SIKKERKEY_MACHINE_ID }}
    private-key: ${{ secrets.SIKKERKEY_PRIVATE_KEY }}

# Fetch individual secrets
- run: |
    DB_PASS=$(sikkerkey get sk_db_prod password)
    echo "::add-mask::$DB_PASS"

# Or inject and run
- run: sikkerkey run --all -- ./deploy.sh

Multiple projects

- uses: SikkerKeyOfficial/setup-sikkerkey@v1
  with:
    vault-id: ${{ secrets.SIKKERKEY_VAULT_ID }}
    project-id: ${{ secrets.SIKKERKEY_PROJECT_ID }}
    machine-id: ${{ secrets.SIKKERKEY_MACHINE_ID }}
    private-key: ${{ secrets.SIKKERKEY_PRIVATE_KEY }}

- run: |
    sikkerkey unlock proj_staging --alias staging
    sikkerkey get sk_api_key --project staging

Security Notes

• The private key is stored in GitHub Secrets and never printed to logs
• All exported secret values are masked in GitHub Actions logs via ::add-mask::
• The identity is created in the runner's home directory and discarded when the job ends
• Every secret read is authenticated with Ed25519 signatures and recorded in the SikkerKey audit log
• Each workflow run uses the same machine identity, so all reads are logged with the same machine ID