GitHub Action
The official Kānuka GitHub Action simplifies using Kānuka in your GitHub Actions workflows. It handles installing Kānuka and configuring your private key securely.
Why use the GitHub Action?
Section titled “Why use the GitHub Action?”While you can manually install Kānuka and configure keys in your workflows, the GitHub Action provides several benefits:
- Simplified setup - One step to install and configure Kānuka
- Secure key handling - Automatically masks secrets and sets restrictive permissions
- Version management - Easy to pin or update Kānuka versions
- Cross-platform - Works on Linux and macOS runners
Installation
Section titled “Installation”Add your private key to GitHub Secrets:
- Go to your repository’s Settings > Secrets and variables > Actions
- Click New repository secret
- Name it
KANUKA_PRIVATE_KEY - Paste your private key content (including the
-----BEGIN...and-----END...lines)
If your key is passphrase-protected, add another secret named KANUKA_PASSPHRASE.
Basic usage
Section titled “Basic usage”name: Deployon: push: branches: [main]
jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- name: Setup Kānuka uses: PolarWolf314/kanuka-actions@v1 with: private-key: ${{ secrets.KANUKA_PRIVATE_KEY }}
- name: Decrypt secrets run: kanuka secrets decrypt
- name: Deploy run: ./deploy.shInputs
Section titled “Inputs”| Input | Description | Required | Default |
|---|---|---|---|
private-key | Private key content for decryption | Yes | - |
passphrase | Passphrase for the private key, if encrypted | No | '' |
version | Kānuka version to install (e.g., 1.2.0 or latest) | No | latest |
Outputs
Section titled “Outputs”| Output | Description |
|---|---|
private-key-path | Path to the private key file |
Examples
Section titled “Examples”With passphrase-protected key
Section titled “With passphrase-protected key”- name: Setup Kānuka uses: PolarWolf314/kanuka-actions@v1 with: private-key: ${{ secrets.KANUKA_PRIVATE_KEY }} passphrase: ${{ secrets.KANUKA_PASSPHRASE }}Pinning a specific version
Section titled “Pinning a specific version”- name: Setup Kānuka uses: PolarWolf314/kanuka-actions@v1 with: private-key: ${{ secrets.KANUKA_PRIVATE_KEY }} version: '1.0.0'Decrypt specific files
Section titled “Decrypt specific files”- name: Setup Kānuka uses: PolarWolf314/kanuka-actions@v1 with: private-key: ${{ secrets.KANUKA_PRIVATE_KEY }}
- name: Decrypt production secrets only run: kanuka secrets decrypt .env.production.kanukaMonorepo with matrix strategy
Section titled “Monorepo with matrix strategy”jobs: deploy: runs-on: ubuntu-latest strategy: matrix: service: [api, web, worker] steps: - uses: actions/checkout@v4
- name: Setup Kānuka uses: PolarWolf314/kanuka-actions@v1 with: private-key: ${{ secrets.KANUKA_PRIVATE_KEY }}
- name: Decrypt service secrets run: kanuka secrets decrypt "services/${{ matrix.service }}/.env.kanuka"
- name: Deploy ${{ matrix.service }} run: ./deploy.sh ${{ matrix.service }}Security considerations
Section titled “Security considerations”The GitHub Action takes several steps to protect your private key:
- Masking - The private key and passphrase are masked in logs using
::add-mask:: - Temporary storage - The key is written to
$RUNNER_TEMPwhich is cleaned up after the job - Restrictive permissions - The key file is created with
chmod 600
Alternative: Manual setup
Section titled “Alternative: Manual setup”If you prefer not to use the GitHub Action, you can set up Kānuka manually.
See the CI/CD section in the decryption guide
for examples using --private-key-stdin.
Next steps
Section titled “Next steps”- Learn about decrypting secrets
- Explore monorepo workflows
- View the action source code