How to Decrypt SOPS Secrets at Runtime in GitHub Actions
Install SOPS, supply the age (or GPG) private key from a repo secret, and decrypt the committed file in the job.
Store the SOPS-encrypted file in the repo, install SOPS, provide the decryption key via SOPS_AGE_KEY (or GPG), and run sops -d to recover the plaintext at runtime.
Steps
- Commit the encrypted file (e.g.
secrets.enc.yaml) created by SOPS. - Install SOPS in the job (download the release binary).
- Provide the private key via
SOPS_AGE_KEYfrom a repo secret. - Run
sops -dto decrypt to a file or export values.
Workflow
.github/workflows/ci.yml
jobs:
deploy:
runs-on: ubuntu-latest
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
steps:
- uses: actions/checkout@v4
- run: |
curl -L -o /usr/local/bin/sops \
https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.linux.amd64
chmod +x /usr/local/bin/sops
- run: sops -d secrets.enc.yaml > secrets.yamlGotchas
- Never commit the age private key; keep it in
secrets.SOPS_AGE_KEYonly. - Decrypted files written to disk are not auto-masked; avoid printing them and delete after use.
Related guides
How to Encrypt a File With age in GitHub ActionsEncrypt build output or config in a GitHub Actions job with the age tool using a recipient public key, produc…
How to Decrypt Files With git-crypt in GitHub ActionsUnlock git-crypt encrypted files in a GitHub Actions checkout by exporting the symmetric key, base64-encoding…