infisical/docs/integrations/cicd/githubactions.mdx

---
title: "GitHub Actions"
description: "How to sync secrets from Infisical to GitHub Actions"
---

<Tabs>
  <Tab title="Usage">
    Infisical provides a different way to sync secrets to GitHub that can be used in Github Actions workflows.
    You can sync secrets to the following GitHub scopes:

    - Repository
    - Github Organization
    - Repository Environment


    <Info>
     To know more about usage and limitation of secrets in GitHub Actions, please visit the [Official Github documentation](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions).
    </Info>


    #### Prerequisites:
      - Set up and add envars to [Infisical Cloud](https://app.infisical.com)
      - Ensure you have admin privileges to the repository you want to sync secrets to.
      - For Organizations only,
        - During the oAuth ensure you gave access to the respective Organization.
      - For Environment only
        - Require access to the repository and create the environment under repository settings if it doesn't exist.

    <Steps>
      <Step title="Authorize Infisical for GitHub">
        Navigate to your project's integrations tab in Infisical.

        ![integrations](../../images/integrations.png)

        Press on the GitHub tile and grant Infisical access to your GitHub account (repo privileges only).

        ![integrations github authorization](../../images/integrations/github/integrations-github-auth.png)

        <Info>
          If this is your project's first cloud integration, then you'll have to grant Infisical access to your project's environment variables.
          Although this step breaks E2EE, it's necessary for Infisical to sync the environment variables to the cloud platform.
        </Info>
      </Step>
      <Step title="Configure Infisical GitHub integration">
        - Select Source Project Environment that needs to be synced ( Development, Staging or Production )
        - Enter Secret path ( Default to root folder `/`)
        - Select a scope ( Repository, Organization, Repository Environment ) based on the scope of the repository you want to sync secrets to.

        <Tabs>
          <Tab title="Repository">
            - Select one or more repositories to sync secrets to.

            ![integrations github](../../images/integrations/github/integrations-github-scope-repo.png)
          </Tab>
          <Tab title="Organization">
            - Select the organization to sync secrets to.
            ![integrations github](../../images/integrations/github/integrations-github-scope-org.png)

          </Tab>
          <Tab title="Repository Environment">
          - Select the repository
          - Select the target environment you want to sync secrets to. if you can't find the environment, create one under repository settings > Environments > New environment and try again.
          ![integrations github](../../images/integrations/github/integrations-github-scope-env.png)
          </Tab>
        </Tabs>

        - Once configured, press on the "Create Integration" button.

        ![integrations github](../../images/integrations/github/integrations-github.png)
      </Step>
    </Steps>

  </Tab>
  <Tab title="Self-Hosted Setup">
    Using the GitHub integration on a self-hosted instance of Infisical requires configuring an OAuth application in GitHub
    and registering your instance with it.
    <Steps>
      <Step title="Create an OAuth application in GitHub">
        Navigate to your user Settings > Developer settings > OAuth Apps to create a new GitHub OAuth application.
        
        ![integrations github config](../../images/integrations/github/integrations-github-config-settings.png) 
        ![integrations github config](../../images/integrations/github/integrations-github-config-dev-settings.png) 
        ![integrations github config](../../images/integrations/github/integrations-github-config-new-app.png)

        Create the OAuth application. As part of the form, set the **Homepage URL** to your self-hosted domain `https://your-domain.com`
        and the **Authorization callback URL** to `https://your-domain.com/integrations/github/oauth2/callback`.

        ![integrations github config](../../images/integrations/github/integrations-github-config-new-app-form.png)

        <Note>
          If you have a GitHub organization, you can create an OAuth application under it
          in your organization Settings > Developer settings > OAuth Apps > New Org OAuth App.
        </Note>
      </Step>
      <Step title="Add your OAuth application credentials to Infisical">
        Obtain the **Client ID** and generate a new **Client Secret** for your GitHub OAuth application.

        ![integrations github config](../../images/integrations/github/integrations-github-config-credentials.png)

        Back in your Infisical instance, add two new environment variables for the credentials of your GitHub OAuth application:

        - `CLIENT_ID_GITHUB`: The **Client ID** of your GitHub OAuth application.
        - `CLIENT_SECRET_GITHUB`: The **Client Secret** of your GitHub OAuth application.

        Once added, restart your Infisical instance and use the GitHub integration.
      </Step>
    </Steps>

  </Tab>
</Tabs>