XtraSecurity + GitHub Secrets Integration

Securely manage secrets in GitHub Actions workflows using XtraSecurity.

Quick Setup (5 Minutes)

Step 1: Create GitHub Repository Secret

1. Go to repository Settings → Secrets and variables → Actions
2. Click "New repository secret"
3. Name: XTRA_API_KEY
4. Value: Copy from XtraSecurity API Keys page
5. Click "Add secret"

Step 2: Add to Workflow

name: Deploy

on: [push]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Fetch secrets
        env:
          XTRA_API_KEY: ${{ secrets.XTRA_API_KEY }}
        run: |
          npm install -g @xtrasecurity/cli
          xtra get database_url > $GITHUB_ENV
          xtra get api_key >> $GITHUB_ENV
      
      - name: Deploy
        run: npm run deploy

Full Example

name: Production Deployment

on:
  push:
    branches: [main]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '18'
      
      - name: Get secrets
        env:
          XTRA_API_KEY: ${{ secrets.XTRA_API_KEY }}
        run: |
          npm install -g @xtrasecurity/cli
          xtra get test_db_url > .env.test
          xtra get stripe_test_key >> .env.test
      
      - name: Run tests
        run: npm test
  
  deploy:
    needs: test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Get production secrets
        env:
          XTRA_API_KEY: ${{ secrets.XTRA_API_KEY }}
        run: |
          npm install -g @xtrasecurity/cli
          export DATABASE_URL=$(xtra get prod_database_url)
          export API_KEY=$(xtra get stripe_live_key)
      
      - name: Deploy to production
        run: npm run deploy:prod

Best Practices

1. Use separate API keys per environment
2. Rotate keys regularly every 30 days
3. Never commit secrets to repo
4. Use branch protection for main deployment
5. Enable audit logging to track secret access