Summary
Sync organization-level Actions secrets and variables metadata/policy from declarative YAML config.
Scope
This should manage metadata and visibility policy, while keeping secret values out of committed config.
Potential inputs:
actions-variables-fileactions-secrets-file- optional per-org overrides in
orgs.yml
- optional delete-unmanaged flags, only if safe and explicit
Candidate behavior
- Sync organization Actions variables: name, value, visibility, selected repositories
- Sync organization Actions secrets: name, value reference, visibility, selected repositories
- Read secret values from environment variables or named GitHub Actions secrets, not from YAML literals
- Compare existing variable values where the API supports it; for secrets, update when configured because values cannot be read back
Security notes
- Never print secret values.
- Mask resolved secret values with
core.setSecret().
- Avoid examples that contain real-looking credentials.
- Document required permissions clearly.
Questions to resolve
- Should this include Dependabot/Codespaces secrets too, or only Actions secrets?
- Should variable values be allowed inline while secret values must be referenced?
- How should selected repositories be identified: names, IDs, or both?
Summary
Sync organization-level Actions secrets and variables metadata/policy from declarative YAML config.
Scope
This should manage metadata and visibility policy, while keeping secret values out of committed config.
Potential inputs:
actions-variables-fileactions-secrets-fileorgs.ymlCandidate behavior
Security notes
core.setSecret().Questions to resolve