GitHub CLI extension

Sync secrets across repos without risky one-off scripts.

gh-secret-sync helps you safely bulk-update GitHub secrets across repository, environment, and organization targets with dry-run previews, explicit confirmation, JSON summaries, and plan-file support (JSON/CSV).

Safe by default JSON + CSV plans Automation ready

Get started View repository

Default --dry-run safety model
Supports --secret-value-prompt and stdin
Machine-readable output with --json

quick-demo.sh

$ gh extension install Nick2bad4u/gh-secret-sync
$ gh secret-sync --repos owner/a,owner/b --secret-name API_KEY --secret-value-prompt --confirm

Applied: 2 | Failed: 0 | Total: 2

$ gh secret-sync --plan-file ./docs/examples/secret-plan.example.csv --plan-format csv --confirm

Applied: 3 | Failed: 0 | Total: 3

Install

Be productive in under a minute

Install once, preview with dry-run, then apply only when you explicitly confirm.

install

gh extension install Nick2bad4u/gh-secret-sync

Requirements

gh installed and authenticated
Node.js >= 22.18.0
Permission to manage secrets on target repos/org

Latest release Full README

Dry-run first Preview operations before writing secrets.

Plan files Drive updates from JSON or CSV plans.

Structured JSON Easy to automate in scripts and CI jobs.

Features

Designed for safe secret operations at scale

Explicit safety controls

No secret updates happen unless you opt in with --confirm or --yes.

Flexible targets

Apply to repository, environment, or organization secrets with simple CLI flags.

File-driven plans

Use --plan-file with JSON or CSV for predictable, reviewable batch updates.

Secret-safe inputs

Use prompt, stdin, env vars, or files instead of exposing inline values in command history.

Automation ready

Parse machine-readable summaries from --json for workflows, scripts, and tooling.

Clear failure signal

Exit code 2 indicates partial failure so automation can detect and react.

Usage

Common secret sync workflows

Single secret, single repo

single-repo

gh secret-sync --repo owner/repo --secret-name API_KEY --secret-value-env API_KEY --confirm

Single secret, multiple repos

multi-repo

gh secret-sync --repos owner/a,owner/b --secret-name API_KEY --secret-value-prompt --confirm

Environment secret target

environment

gh secret-sync --repo owner/repo --env production --secret-name API_KEY --secret-value-env API_KEY --confirm

Organization secret target

organization

gh secret-sync --org my-org --secret-name SHARED --secret-value-env SHARED --org-visibility private --confirm

Plan files

Drive bulk updates from files

Plan type	Example
JSON plan file	`--plan-file ./docs/examples/secret-plan.example.json`
CSV plan file	`--plan-file ./docs/examples/secret-plan.example.csv --plan-format csv`
Repo list + multiple secrets	`--repo-file repos.txt --set TOKEN=... --set-env URL=DEPLOY_URL`
Input safety	`--secret-value-prompt`, `--secret-value-stdin`, `--secret-value-file`

JSON mode

Machine-readable output for jobs and scripts

json-command

gh secret-sync \
  --plan-file ./docs/examples/secret-plan.example.json \
  --confirm \
  --json

summary.json

{
  "applied": 3,
  "dryRun": false,
  "durationMs": 168,
  "failed": 0,
  "results": [
    { "ok": true, "secretName": "API_KEY", "target": "repo:owner/repo-a" },
    { "ok": true, "secretName": "API_KEY", "target": "repo:owner/repo-b env:production" },
    { "ok": true, "secretName": "SHARED", "target": "org:my-org" }
  ],
  "total": 3
}

Ready to sync secrets safely?

Start with a dry run, confirm only what you intend, and automate the rest with JSON summaries and plan files.

Open repository Report an issue