github.com/smartcontractkit/chainlink-testing-framework/tools/ghsecrets
ghsecrets is a command-line tool designed to manage and set test secrets in either:
This tool helps streamline the process of storing test secrets which can be referenced by your workflows or other services.
To install the ghsecrets CLI, ensure you have Go installed. Then run:
go install github.com/smartcontractkit/chainlink-testing-framework/tools/ghsecrets@latest
Note: If you plan to set secrets in GitHub, please also install the GitHub CLI (gh).
By default, ghsecrets set assumes you want to store secrets in AWS Secrets Manager, using a file from ~/.testsecrets (if not specified). You can change the backend to GitHub, specify a custom file path, or share the AWS secret with other IAM principals. Below are common examples:
⚠️ Note: Ensure you authenticate with AWS before using the tool:
aws sso login --profile <your-aws-sdlc-profile>Use the SDLC profile in AWS
This will read from ~/.testsecrets (by default) and create/update a secret in AWS Secrets Manager:
ghsecrets set --profile <your-aws-sdlc-profile>
If you’d like to specify a different file:
ghsecrets set --file /path/to/mysecrets.env --profile <your-aws-sdlc-profile>
If you’d like to specify a custom secret name:
ghsecrets set --secret-id my-custom-secret --profile <your-aws-sdlc-profile>
Note: For AWS backend, the tool automatically adds the testsecrets/ prefix if it is missing. This ensures consistency and allows GitHub Actions to access all secrets with this designated prefix.
If you’d like to share this secret with additional AWS IAM principals (e.g., a collaborator’s account):
ghsecrets set --shared-with arn:aws:iam::123456789012:role/SomeRole --profile <your-aws-sdlc-profile>
You can specify multiple ARNs using commas:
ghsecrets set --shared-with arn:aws:iam::123456789012:role/SomeRole,arn:aws:iam::345678901234:root --profile <your-aws-sdlc-profile>
ghsecrets set --backend github
This will:
~/.testsecrets) unless --file is specified.If you want to retrieve an existing secret from AWS Secrets Manager, use:
ghsecrets get --secret-id testsecrets/MySecretName --profile <your-aws-sdlc-profile>
By default, it tries to decode a Base64-encoded test secret. To disable decoding use --decode false flag:
ghsecrets get --secret-id testsecrets/MySecretName --decode false --profile <your-aws-sdlc-profile>
This error typically means the directory where Go installs its binaries is not in your system’s PATH. The binaries are usually installed in $GOPATH/bin or $GOBIN.
Steps to fix:
If you use asdf, run:
asdf reshim golang
Otherwise, add your Go bin directory to PATH manually:
echo $(go env GOPATH)/bin
~/.bashrc, ~/.zshrc):export PATH="$PATH:<path-to-go-bin>"
source ~/.bashrc # or .zshrc, etc.
Alternatively, run the tool using its full path without modifying PATH:
$(go env GOPATH)/bin/ghsecrets set
If you see errors like InvalidGrantException when setting or retrieving secrets from AWS, your SSO session may have expired. Re-authenticate using:
aws sso login --profile <my-aws-profile>
Then try running ghsecrets again.
For GitHub secrets, this tool requires the GitHub CLI. Please install it first:
brew install gh
# or
sudo apt-get install gh
Then run:
gh auth login
and follow the prompts to authenticate.
Pull requests are welcome! For major changes, please open an issue first to discuss what you would like to change.
This project is licensed under the MIT License. Feel free to use, modify, and distribute it as needed.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Vite releases Rolldown-Vite, a Rust-based bundler preview offering faster builds and lower memory usage as a drop-in replacement for Vite.
Research
Security News
A malicious npm typosquat uses remote commands to silently delete entire project directories after a single mistyped install.
Research
Security News
Malicious PyPI package semantic-types steals Solana private keys via transitive dependency installs using monkey patching and blockchain exfiltration.