Skip to content
Latchkey

How to Decrypt SOPS Secrets at Runtime in GitHub Actions

Install SOPS, supply the age (or GPG) private key from a repo secret, and decrypt the committed file in the job.

Store the SOPS-encrypted file in the repo, install SOPS, provide the decryption key via SOPS_AGE_KEY (or GPG), and run sops -d to recover the plaintext at runtime.

Steps

  • Commit the encrypted file (e.g. secrets.enc.yaml) created by SOPS.
  • Install SOPS in the job (download the release binary).
  • Provide the private key via SOPS_AGE_KEY from a repo secret.
  • Run sops -d to decrypt to a file or export values.

Workflow

.github/workflows/ci.yml
jobs:
  deploy:
    runs-on: ubuntu-latest
    env:
      SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
    steps:
      - uses: actions/checkout@v4
      - run: |
          curl -L -o /usr/local/bin/sops \
            https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.linux.amd64
          chmod +x /usr/local/bin/sops
      - run: sops -d secrets.enc.yaml > secrets.yaml

Gotchas

  • Never commit the age private key; keep it in secrets.SOPS_AGE_KEY only.
  • Decrypted files written to disk are not auto-masked; avoid printing them and delete after use.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →