Configuration

To configure GitHub for the integration with Secret Server, perform the following tasks:

Create or identify an application account or service account
Grant the account View permission on target secrets
Create the workflow YAML file
Add GitHub Secrets and Variables
Define the DPSS_RETRIEVE variable
Configure the workflow

The following sections describe how to perform these tasks.

Configuring Secret Server or the Delinea Platform

To configure Secret Server or the Delinea Platform for the integration with GitHub, you must set up an application account or service account that the integration uses to retrieve secrets.

Create or identify an application account or service account. For more information on how to create these accounts, see the Delinea Platform documentation or the Secret Server documentation
Ensure that the account has View permission on the target secrets.

Configuring GitHub

To configure GitHub for the integration with Secret Server, you must configure your GitHub repository, define secrets and variables, and create a workflow definition.

Step 1: Creating the Workflow YAML File

GitHub workflows are defined using YAML files located in the .github/workflows/ directory of the repository. You can create this file using the GitHub UI or locally.

Option A: Create the file using the GitHub UI

Go to Actions in your repository.

Select New workflow or set up a workflow yourself.

Create a file named delinea-integration.yml (or any descriptive name).
Add the workflow content.
Click Commit changes to commit the file to your branch (for example, main).

Option B: Create the file locally

Create a directory structure .github/workflows/ in the root of your local repository.
Create a file named delinea-integration.yml in the workflows directory.

Commit and push the file using the following git commands:

git add .github/workflows/delinea-integration.yml
git commit -m "Add GitHub workflow for Delinea integration"
git push

Step 2: Adding GitHub Secrets and Variables

To configure secrets required for the integration:

In your GitHub repository, go to Settings > Secrets and variables > Actions.
Select the Secrets tab.

Select New repository secret.
Enter the secret details:
- Name: Secret name (for example, DPSS_SERVER_URL)
- Secret: The corresponding value
Select Add secret.
Repeat steps 3-5 for each required secret.

Required GitHub Secrets

The following table lists the GitHub secrets required for the integration.

Secret Name	Description	Example Value	Security Setting
DPSS_SERVER_URL	The URL of your Delinea Secret Server instance	https://your-instance.secretservercloud.com	Masked
DPSS_CLIENT_ID	Application account or service account username	integration_user	Masked
DPSS_CLIENT_SECRET	Application account or service account password	[secure password]	Masked
DPSS_DOMAIN	Domain for Secret Server On-Premises (optional for Cloud)	COMPANY	Masked
DPSS_RETRIEVE	JSON configuration mapping secrets to environment variables	See Define the `DPSS_RETRIEVE` variable	Not applicable

Defining the `DPSS_RETRIEVE` Variable

The DPSS_RETRIEVE variable defines which secrets are retrieved from Delinea and how they are mapped to environment variables in the workflow.

Each entry includes:

secretPath or secretId
secretKey
outputVariable

In the JSON configuration, you specify the secretKey to retrieve from Delinea and the corresponding outputVariable. The value defined in outputVariable is created as an environment variable and must be uppercase.

Copy

[
                {
                "secretPath": "ci:database:prod",
                "secretKey": "password",
                "outputVariable": "DB_PASSWORD"
                },
                {
                "secretId": "1025",
                "secretKey": "api_key",
                "outputVariable": "SECRET_API_KEY"
                }
            ]

You can retrieve secrets using either a folder-based secret path or a unique secret ID.

secretPath: Retrieves a Delinea secret using its folder-based path (for example: folder:subfolder:secret).
secretId: Retrieves a Delinea secret using the unique secret ID.

Both methods can be combined in the same DPSS_RETRIEVE configuration.

Step 3: Configuring the Workflow

The integration uses a workflow that pulls the Docker image, retrieves secrets from Delinea, and validates the integration.

Copy

name: Run Docker Image

                on:
                workflow_dispatch:
                repository_dispatch:
                types: [docker-image-pushed]

                jobs:
                run-docker-image:
                runs-on: ubuntu-latest
    
                env:
                IMAGE_TAG: 'dev-1922517'  # Set this to the image tag you want to test manually
    
                steps:
                - name: Set image tag
                id: image_tag
                run: |
                if [[ "${{ github.event_name }}" == "repository_dispatch" ]]; then
                IMAGE_TAG="${{ github.event.client_payload.image_tag }}"
                else
                IMAGE_TAG="${{ env.IMAGE_TAG }}"
                fi
                echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_OUTPUT
                echo "Using image tag: ${IMAGE_TAG}"
      
                - name: Pull image
                run: docker pull sachinju/dpss-github-action:${{ steps.image_tag.outputs.IMAGE_TAG }}
      
                - name: Run container and verify
                id: run_container
                run: |
                OUTPUT=$(docker run --rm \
                -e DPSS_SERVER_URL="${{ secrets.DPSS_SERVER_URL }}" \
                -e DPSS_CLIENT_ID="${{ secrets.DPSS_CLIENT_ID }}" \
                -e DPSS_CLIENT_SECRET="${{ secrets.DPSS_CLIENT_SECRET }}" \
                -e DPSS_RETRIEVE='[{"secretId":"10123","secretKey":"Password","outputVariable":"TEST_PASSWORD"}]' \
                -e GITHUB_ENV=/tmp/github_env \
                sachinju/dpss-github-action:${{ steps.image_tag.outputs.IMAGE_TAG }} 2>&1)
          
                EXIT_CODE=$?
                echo "$OUTPUT"
          
                if [ $EXIT_CODE -eq 0 ]; then
                echo "✓ DPSS integration test PASSED"
                echo "status=success" >> $GITHUB_OUTPUT
                else
                echo "✗ DPSS integration test FAILED"
                echo "status=failed" >> $GITHUB_OUTPUT
                exit 1
                fi
      
                - name: Integration test summary
                if: always()
                run: |
                if [[ "${{ steps.run_container.outputs.status }}" == "success" ]]; then
                echo "### Integration Test Passed ✓" >> $GITHUB_STEP_SUMMARY
                echo "Docker image successfully retrieved secrets from DPSS" >> $GITHUB_STEP_SUMMARY
                else
                echo "### Integration Test Failed ✗" >> $GITHUB_STEP_SUMMARY
                echo "Docker image failed to connect to DPSS or retrieve secrets" >> $GITHUB_STEP_SUMMARY
            fi

How the Workflow Works:

Set image tag step

Determines which Docker image tag to use
Supports both manual dispatch and automated triggers
Sets the IMAGE_TAG output variable for subsequent steps

Pull image step

Pulls the Delinea Docker image from Docker Hub
Uses the image tag determined in the previous step

Run container and verify step

Runs the Docker container with required environment variables
Authenticates to Secret Server using the provided credentials
Retrieves secrets specified in DPSS_RETRIEVE
Captures the output and exit code
Sets the status output based on success or failure

Integration test summary step

Runs regardless of previous step success (if: always())
Provides a summary in the GitHub Actions interface
Indicates whether the integration test passed or failed

The environment variables in the Run container and verify step explicitly reference the GitHub secrets configured in the repository. This ensures they are available to the Docker container during execution.