GitHub Actions - Automated Setup

Set up GitHub Actions secrets from the SikkerKey dashboard using the GitHub App.

SikkerKey can automatically configure your GitHub repository for CI/CD -- generating a machine identity, pushing secrets, and adding the workflow file -- all from the dashboard. No CLI commands, no copying credentials, no touching GitHub Settings.

How It Works

  1. From the dashboard, go to Integrations and expand GitHub Actions
  2. Click Install GitHub App to install the SikkerKey app on your GitHub account
  3. Select which repositories the app can access
  4. Back on the dashboard, select a repository, project, and which secrets to grant access to
  5. Choose whether to add the workflow file via pull request or direct commit
  6. Click Set up

SikkerKey handles everything:

  • Generates an Ed25519 keypair for the CI machine
  • Registers and auto-approves the machine
  • Grants access to your selected secrets
  • Pushes the four required secrets (SIKKERKEY_VAULT_ID, SIKKERKEY_MACHINE_ID, SIKKERKEY_PRIVATE_KEY, SIKKERKEY_PROJECT_ID) to your repository
  • Optionally commits the workflow file or opens a pull request

After Setup

If you chose Pull Request, merge the PR to activate the workflow. If you chose Direct Commit, the workflow runs on the next push.

If you chose not to add the workflow file, add the SikkerKeyOfficial/setup-sikkerkey action to your workflow manually:

- uses: SikkerKeyOfficial/setup-sikkerkey@v1
  with:
    vault-id: ${{ secrets.SIKKERKEY_VAULT_ID }}
    project-id: ${{ secrets.SIKKERKEY_PROJECT_ID }}
    machine-id: ${{ secrets.SIKKERKEY_MACHINE_ID }}
    private-key: ${{ secrets.SIKKERKEY_PRIVATE_KEY }}
    export: true

Managing Configured Repositories

Repositories you've already set up are shown at the top of the GitHub panel on the Integrations page. From there you can:

  • Disconnect a repository -- revokes the machine, deletes the four secrets from GitHub, and removes the workflow file if one was added
  • Set up another repository using the form below the configured list

Machines created through the GitHub integration also appear on the Machines page like any other machine.

Adding More Repositories

If you need to grant the app access to additional repositories after the initial install, click Manage repository access at the bottom of the GitHub panel. This opens your GitHub installation settings where you can add or remove repositories.

Uninstalling

Click Uninstall to remove the GitHub App from your account. This uninstalls the app on both GitHub and SikkerKey. Existing machines continue to work -- uninstalling only prevents new repository setups.

To fully clean up, disconnect each configured repository first (which revokes the machines and removes GitHub secrets), then uninstall.

Security

  • No stored tokens. SikkerKey does not store any GitHub access tokens. Installation tokens are generated on demand from the app's private key and expire after one hour.
  • Scoped access. The GitHub App only has access to the repositories you explicitly select during installation. It requests only the permissions it needs: repository secrets, contents, pull requests, and workflows.
  • Auto-approved machine. The CI machine is auto-approved because you initiated the setup from an authenticated dashboard session. It follows the same Ed25519 authentication model as every other machine.
  • Private key handling. The machine's private key is generated server-side, pushed to GitHub as a repository secret, and immediately discarded. It is never stored in SikkerKey.
  • Audit logged. Installation, setup, disconnect, and uninstall actions are all recorded in your audit log.

Requirements

  • A GitHub account that can install GitHub Apps
  • The target repository must be granted to the SikkerKey app during installation
  • The repository must have at least one commit (GitHub's API requires an initialized repository)

When to Use Manual Setup Instead

Use the manual setup if:

  • Your organization restricts third-party GitHub App installations
  • You need to customize the bootstrap process