Manage GitHub Secrets Across Repositories for Free

In previous guides, we've covered how to deploy a private Astro blog with Cloudflare Pages and how to create a more powerful workflow for automating Astro deployments with GitHub Actions. Both of these deployment methods require secrets like CLOUDFLARE_API_TOKEN.

That's easy for one project, but what about ten? Or fifty? Manually adding the same secrets to every repository is tedious and error-prone.

This guide solves that problem. We'll show you how to create a centralized "secrets hub" that can synchronize your secrets across all your projects with a single click, saving you time and giving you a single source of truth.

Step 1: The "God Key" - Create a Scoped Personal Access Token (PAT)

This is the most critical step. We are creating a powerful token that can write secrets to your repositories. Treat it like a password.

CRITICAL SECURITY WARNING: A Personal Access Token is a powerful credential. If it leaks, your repositories can be compromised. Store it securely and never expose it in logs or public code.

1. Navigate to your GitHub Settings > Developer settings > Personal access tokens > Fine-grained tokens.
2. Click Generate new token.
3. Give it a descriptive name, like secrets-sync-token, and set an expiration date.
4. Under Repository access, select All repositories or choose the specific repositories you want this token to manage. For this guide, "All repositories" is simpler, but selecting specific ones is more secure if you know your scope.
5. Under Permissions, click on Repository permissions. You only need to grant two specific permissions:
   • Actions: Read and write
   • Secrets: Read and write
6. Click Generate token and copy the token immediately. You will not see it again.

Step 2: Build Your Fort - The Private Secrets Hub

This repository will be the central, secure location for your master secrets.

1. Create a new, private GitHub repository. Name it something clear, like secrets-hub. It absolutely must be private.
2. In this new repository, go to Settings > Secrets and variables > Actions and click New repository secret.
3. Create a secret named ACTIONS_PAT and paste the Personal Access Token you just generated.
4. Now, add the "master" versions of the secrets you want to manage. For example:
   • CLOUDFLARE_API_TOKEN
   • NPM_TOKEN
   • DOCKER_HUB_ACCESS_TOKEN

Your hub is now set up. It's a private vault containing your master secrets and the key to access other repositories.

Step 3: The Engine - The Secret Sync Workflow

Now for the automation. In your secrets-hub repository, create a file at .github/workflows/sync-secrets.yml. This workflow will take a target repository and sync all your master secrets to it.

# .github/workflows/sync-secrets.yml

name: Sync All Secrets to Repository

on:
  workflow_dispatch:
    inputs:
      target_repo:
        description: 'The full name of the target repository (e.g., YourUsername/project-name)'
        required: true

jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
      - name: Sync All Secrets
        env:
          GH_TOKEN: ${{ secrets.ACTIONS_PAT }}
          TARGET_REPO: ${{ github.event.inputs.target_repo }}
        run: |
          echo "Syncing all secrets to repository '$TARGET_REPO'..."

          # Add all your master secrets here to be synced
          echo -n "${{ secrets.CLOUDFLARE_API_TOKEN }}" | gh secret set CLOUDFLARE_API_TOKEN --repo "$TARGET_REPO"
          echo -n "${{ secrets.NPM_TOKEN }}" | gh secret set NPM_TOKEN --repo "$TARGET_REPO"
          echo -n "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" | gh secret set DOCKER_HUB_ACCESS_TOKEN --repo "$TARGET_REPO"

          echo "Successfully synced all secrets."

How It Works:

• on: workflow_dispatch: This creates a manual trigger with a form in the "Actions" tab.
• env block: We load the ACTIONS_PAT into GH_TOKEN, which the gh CLI automatically uses for authentication.
• gh secret set: We run this command for each master secret. The echo -n and pipe (|) ensure the secret values are passed directly to the command and never appear in the action's logs.

Note for Power Users: This workflow is designed for simplicity. You could easily extend it to be more flexible. For example, you could add another input field for a comma-separated list of secret names (secret_names) and then use a script to loop through that list and sync only the specified secrets.

Step 4: Putting It All to Work

Now, managing your secrets is simple.

1. Go to your secrets-hub repository on GitHub and click the Actions tab.
2. Select the Sync All Secrets to Repository workflow.
3. Click the Run workflow dropdown.
4. Fill in the Target Repository, for example: YourUsername/your-target-project.
5. Click Run workflow.

In moments, the action will execute and all your secrets will be securely synchronized. When a token expires, you update it in one place—the secrets-hub—and then re-run this workflow for each repository that needs the update.

Conclusion: A Single Source of Truth

You've now built a lightweight but powerful secret management system that solves a major pain point of working with multiple repositories. By centralizing your secrets, you reduce the risk of errors, save time, and apply the DRY principle to your operations.

Always remember to guard your Personal Access Token and keep your secrets hub private. With this system in place, you’re in full, centralized control.