Github/secrets
@hivemq/github/secretsv2026.06.01.70
01README
GitHub Actions secret management via the local gh CLI. Supports repo-level, environment-scoped, and organization-scoped secrets with fan-out, code-search discovery, and a dry-run mode on the org-level setter. No PAT, GitHub App, or vault-held token required — auth comes from the operator's existing gh session.
02Models
@hivemq/github/secretsv2026.05.13.5github_secrets.ts
fn setRepoSecret(repo: string, secretName: string)
Set a GitHub Actions secret on a repository, or on a named environment within a repository.
| Argument | Type | Description |
|---|---|---|
| repo | string | Repository name |
| secretName | string | Secret name (e.g. SIGNING_KEY) |
fn setRepoSecretsAcrossRepos(secretName: string, repo: string)
Fan-out: set the same GitHub Actions secret across multiple repositories or environments in one operation.
| Argument | Type | Description |
|---|---|---|
| secretName | string | Secret name (e.g. SIGNING_KEY) |
| repo | string | Repository name |
fn inspectOrgSecret(org: string, secretName: string)
Read metadata of an organization-level Actions secret: visibility (all / private / selected) and, when applicable, the list of selected repositories. Useful as a pre-rotation blast-radius check.
| Argument | Type | Description |
|---|---|---|
| org | string | GitHub organization login |
| secretName | string | Org secret name (e.g. SIGNING_KEY) |
fn setOrgSecret(org: string, secretName: string)
Update an organization-level Actions secret while preserving its visibility and selected-repos list. Sufficient when secrets are inherited org-wide rather than configured per-repo. Pass dryRun=true to perform the metadata read but skip the actual write.
| Argument | Type | Description |
|---|---|---|
| org | string | GitHub organization login |
| secretName | string | Org secret name (e.g. SIGNING_KEY) |
fn discoverConfiguredTargets(org: string)
Find repos that reference a secret AND actually have it configured. Combines code search (with optional pathPrefix filter) with `gh secret list` checks at repo level and per environment. Output is a curated list of {owner, repo, environment?} ready to feed setRepoSecretsAcrossRepos, plus an audit list of skipped repos.
| Argument | Type | Description |
|---|---|---|
| org | string | GitHub organization login |
fn findReposUsingSecret(org: string)
Search a GitHub org via code search for repositories that reference a given secret name (e.g. in workflow files).
| Argument | Type | Description |
|---|---|---|
| org | string | GitHub organization login |
Resources
repoSecretUpdate(infinite)— Record of a GitHub Actions secret being set on a repo or environment
repoSearch(infinite)— Result of an org-scoped code search locating repos that reference a secret name
configuredTargets(infinite)— Curated list of repo/environment targets where the secret is actually configured, ready to feed setRepoSecretsAcrossRepos
orgSecretInspection(infinite)— Snapshot of an organization-level Actions secret's visibility and selected-repos list
orgSecretUpdate(infinite)— Record of an organization-level Actions secret being updated (visibility preserved)
03Stats
D
50 / 100
Downloads
2
Archive size
15.0 KB
- Has README or module doc0/2missing
- README has a code example0/1missing
- README is substantive0/1pending
- Most symbols documented1/1earned
- No slow types1/1earned
- Dependencies pass trust audit2/2earned
- Has description1/1earned
- Platform support declared (or universal)2/2earned
- License declared0/1missing
- Verified public repository0/2missing
04Platforms
05Labels