← knowledge.oriz.in

Set / update GitHub Actions secrets at the chirag127 org level

runbook runbookgithubsecretsorg-leveldopplersyncci

Set / update GitHub Actions secrets at the chirag127 org level

One-page procedure for pushing a secret value from Doppler to the chirag127-org-level GitHub Actions secrets list. Implements rules/security/github-org-level-secrets.md and the Track B half of security/env-and-secrets-single-source.md.

When to run

Prerequisites

Steps

1. Get the secret value from Doppler

NAME="<KEY>"
VALUE="$(doppler secrets get "$NAME" --plain --config prd)"

--plain strips formatting. --config prd selects the production environment in the relevant Doppler project (substitute dev if the key is dev-only).

Don't echo "$VALUE". Don't paste it anywhere.

2. Set the org-level secret

printf '%s' "$VALUE" | gh secret set "$NAME" \
    --org chirag127 \
    --visibility all

printf '%s' instead of echo avoids appending a stray newline on some shells.

For repo-narrow keys (extension publishers, VS Code marketplace tokens), use --visibility selected --repos <comma-list> instead:

printf '%s' "$VALUE" | gh secret set "CHROME_WEBSTORE_REFRESH_TOKEN" \
    --org chirag127 \
    --visibility selected \
    --repos "oriz-omnipost,oriz-blog-ext,oriz-cards-ext"

3. Verify

gh secret list --org chirag127 \
    | grep -E "^$NAME\b" \
    || { echo "missing: $NAME"; exit 1; }

The updated_at timestamp on the matched line should be the current minute.

4. (For new keys) repeat for every NEW key

When bootstrapping or after multiple keys have entered templates/.env.example, the bulk path is the helper script:

bash scripts/set-org-secrets-from-doppler.sh --dry-run
bash scripts/set-org-secrets-from-doppler.sh

The script reads every key from

, pulls the

value from Doppler, and runs gh secret set --org chirag127 --visibility all for each. Idempotent — re-running with no value changes is a no-op (the GH API still records an updated_at bump per write, but the value is unchanged).

5. Audit

gh secret list --org chirag127 --json name,visibility,updatedAt > /tmp/org-secrets.json

Diff against the keys in templates/.env.example. Two failure modes:

6. Update the log

Append a one-liner to :

- 2026-06-20 — set <KEY> at chirag127 org level (visibility: all) sourced from Doppler

(Don't include the value, even partially.)

Don'ts

See also