Jill Regan
Load Secrets from 1Password - GitHub Action
Provide the secrets your GitHub runner needs from 1Password.
load-secrets-action loads secrets from 1Password into GitHub Actions using Service Accounts or 1Password Connect.
Specify in your workflow YAML file which secrets from 1Password should be loaded into your job, and the action will make them available as environment variables for the next steps.
Read more on the 1Password Developer Portal.
This project is licensed under MIT. Use of the 1Password APIs and services accessed through these tools is governed by the 1Password API Terms of Service.
🪄 See it in action!
✨ Quickstart
Export secrets as a step's output (recommended)
on: push
jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Load secret
id: load_secrets
uses: 1password/load-secrets-action@v4
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://app-cicd/hello-world/secret
OP_ENV_FILE: "./path/to/.env.tpl" # see tests/.env.tpl for example
- name: Print masked secret
run: 'echo "Secret: ${{ steps.load_secrets.outputs.SECRET }}"'
# Prints: Secret: ***
Export secrets as env variables
on: push
jobs:
hello-world:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Load secret
uses: 1password/load-secrets-action@v4
with:
# Export loaded secrets as environment variables
export-env: true
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
SECRET: op://app-cicd/hello-world/secret
OP_ENV_FILE: "./path/to/.env.tpl" # see tests/.env.tpl for example
- name: Print masked secret
run: 'echo "Secret: $SECRET"'
# Prints: Secret: ***
🔑 SSH Key Format
When loading SSH keys, you can specify the format using the ssh-format query parameter. This is useful when you need the private key in a specific format like OpenSSH.
- name: Load SSH key
uses: 1password/load-secrets-action@v4
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
# Load SSH private key in OpenSSH format
SSH_PRIVATE_KEY: op://vault/item/private key?ssh-format=openssh
For more details on secret reference syntax, see the 1Password CLI documentation.
🧪 Workload Identity (private beta)
Note
Workload Identity is in private beta. It's available to invited participants only. Contact 1Password if you're interested in joining the beta.
Instead of a Service Account token or Connect credentials, you can authenticate using Workload Identity, which exchanges your GitHub Actions OIDC token for short-lived 1Password access. To use it, set all three of the following environment variables (and do not set the Service Account token or the Connect variables):
on: push
jobs:
hello-world:
runs-on: ubuntu-latest
permissions:
id-token: write # required for the action to request a GitHub OIDC token
contents: read
steps:
- name: Load secret
id: load_secrets
uses: 1password/load-secrets-action@v5beta
env:
OP_WORKLOAD_ID: ${{ vars.OP_WORKLOAD_ID }}
OP_ENVIRONMENT_ID: ${{ vars.OP_ENVIRONMENT_ID }}
OP_INTEGRATION_KEY: ${{ secrets.OP_INTEGRATION_KEY }}
Unlike the Service Account and Connect flows, you don't select secrets with individual op:// references. Instead, all variables defined in the configured 1Password environment are loaded and each one is exported as an environment variable (or set as a step output). Scope your environment to only the variables you want available to the job.
If only some of the three variables are set, or if they're combined with another authentication method, the action fails with a configuration error.
💙 Community & Support
- File an issue for bugs and feature requests.
- Join the Developer Slack workspace.
- Subscribe to the Developer Newsletter.
🔐 Security
1Password requests you practice responsible disclosure if you discover a vulnerability.
Please file requests by sending an email to bugbounty@agilebits.com.