Detects secrets that are defined in the repository and are not used in GitHub Actions.
What it does:
- Get repository secrets using GitHub Actions API
- Clone the repository
- Search through the GitHub Actions related files (
.github/workflows/*.yaml
and.github/workflows/*.yml
) and try to find usages of each secret - Report those secrets which are not found
- GitHub token with
repo
scope (GitHub docs)
pip install detect-gh-actions-unused-secrets
detect-gh-actions-unused-secrets <token> <owner>/<repo1> <owner/repo2>
Option to generate a text file with curl
s to delete all unused secrets in the repositories that were scanned.
detect-gh-actions-unused-secrets <token> <owner>/<repo1> --generate-curls
This command will produce a file called curls.sh
that will contain line-by-line curl
commands to delete all unused secrets in <owner>/<repo1>
repository. This endpoint will be utilized.