GitHub Actions · Arazzo Workflow

GitHub Actions Share an Organization Secret with Selected Repositories

Version 1.0.0

Fetch the org public key, create or update a selected-visibility org secret, scope it to repositories, and list them.

1 workflow 1 source API 1 provider
View Spec View on GitHub ArazzoWorkflows

Provider

github-actions

Workflows

share-org-secret
Create a selected-visibility org secret and scope it to repositories.
Gets the org public key, writes the encrypted org secret with selected visibility, sets its selected repositories, and lists them to confirm.
4 steps inputs: accessToken, encryptedValue, keyId, org, secretName, selectedRepositoryIds outputs: scopedRepoCount, secretName
1
getOrgPublicKey
getOrgPublicKey
Retrieve the organization public key whose key_id must match the key used to encrypt the secret value.
2
writeOrgSecret
createOrUpdateOrgSecret
Create or update the organization secret with selected visibility. Returns 201 when newly created and 204 when updated.
3
setSelectedRepos
setSelectedReposForOrgSecret
Replace the secret's repository allow list with the supplied repository ids. Returns 204 with no body.
4
listSelectedRepos
listSelectedReposForOrgSecret
List the repositories now scoped to the secret to confirm the allow list.

Source API Descriptions

openapi
githubActionsApi https://raw.githubusercontent.com/api-evangelist/github-actions/refs/heads/main/openapi/github-actions-openapi.yml

Arazzo Workflow Specification

github-actions-share-org-secret-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: GitHub Actions Share an Organization Secret with Selected Repositories
  summary: Fetch the org public key, create or update a selected-visibility org secret, scope it to repositories, and list them.
  description: >-
    Provisions an organization-level Actions secret and restricts it to a chosen
    set of repositories. The workflow retrieves the organization public key,
    creates or updates the secret with selected visibility, replaces the secret's
    repository allow list, and lists the selected repositories to confirm the
    scope. Every step spells out its request inline so the flow can be read and
    executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: githubActionsApi
  url: ../openapi/github-actions-openapi.yml
  type: openapi
workflows:
- workflowId: share-org-secret
  summary: Create a selected-visibility org secret and scope it to repositories.
  description: >-
    Gets the org public key, writes the encrypted org secret with selected
    visibility, sets its selected repositories, and lists them to confirm.
  inputs:
    type: object
    required:
    - accessToken
    - org
    - secretName
    - encryptedValue
    - keyId
    - selectedRepositoryIds
    properties:
      accessToken:
        type: string
        description: GitHub bearer token with organization secrets admin access.
      org:
        type: string
        description: The organization name.
      secretName:
        type: string
        description: The name of the organization secret to create or update.
      encryptedValue:
        type: string
        description: The secret value encrypted with LibSodium using the org public key.
      keyId:
        type: string
        description: The id of the public key used to encrypt the value.
      selectedRepositoryIds:
        type: array
        description: The repository ids that may access the secret.
        items:
          type: integer
  steps:
  - stepId: getOrgPublicKey
    description: >-
      Retrieve the organization public key whose key_id must match the key used
      to encrypt the secret value.
    operationId: getOrgPublicKey
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    - name: org
      in: path
      value: $inputs.org
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      keyId: $response.body#/key_id
      publicKey: $response.body#/key
  - stepId: writeOrgSecret
    description: >-
      Create or update the organization secret with selected visibility. Returns
      201 when newly created and 204 when updated.
    operationId: createOrUpdateOrgSecret
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    - name: org
      in: path
      value: $inputs.org
    - name: secret_name
      in: path
      value: $inputs.secretName
    requestBody:
      contentType: application/json
      payload:
        encrypted_value: $inputs.encryptedValue
        key_id: $inputs.keyId
        visibility: selected
        selected_repository_ids: $inputs.selectedRepositoryIds
    successCriteria:
    - condition: $statusCode == 201 || $statusCode == 204
  - stepId: setSelectedRepos
    description: >-
      Replace the secret's repository allow list with the supplied repository
      ids. Returns 204 with no body.
    operationId: setSelectedReposForOrgSecret
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    - name: org
      in: path
      value: $inputs.org
    - name: secret_name
      in: path
      value: $inputs.secretName
    requestBody:
      contentType: application/json
      payload:
        selected_repository_ids: $inputs.selectedRepositoryIds
    successCriteria:
    - condition: $statusCode == 204
  - stepId: listSelectedRepos
    description: >-
      List the repositories now scoped to the secret to confirm the allow list.
    operationId: listSelectedReposForOrgSecret
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    - name: org
      in: path
      value: $inputs.org
    - name: secret_name
      in: path
      value: $inputs.secretName
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      totalCount: $response.body#/total_count
      repositories: $response.body#/repositories
  outputs:
    secretName: $inputs.secretName
    scopedRepoCount: $steps.listSelectedRepos.outputs.totalCount