How do you get the value of a repo secret as from GitHub App?

The problem:

  1. I am building a GitHub App, which has the secrets scope
  2. The app needs a PAT secret to authenticate with a third-party API (not a GitHub API)
  3. This PAT should be provided in the app settings .yml file in the repo/org .github folder by the admin installing it
  4. Currently there is no way to get the actual secret value via the REST API endpoint. This endpoint seems to only be returning the name of the secret and created_at and updated_at, and I don’t see a way to get the actual value (am I missing something?).

Possible solutions:
To avoid storing any plaintext secret in the GitHub app settings .yml file in their repo:

  • Allow the GitHub App access to secret values via the API. Maybe add the ability to give an app scopes to read only specific secrets or from select environments so users feel comfortable with this.
  • Do something like in actions in the app settings yml (i.e. ${{ secrets.SECRET_TOKEN }}) and resolve the secret and provide it to the GitHub App context. You could encrypt it with the GitHub Apps public key and provide it encrypted and the app could decrypt it with it’s private key.

Hopefully I am just missing something and there is already a way to get the secret value via the REST API!

Secrets are documented as explicitly for use by GitHub actions:

I’m curious, where does your app store the secret that enables it to authenticate with GitHub as a GitHub application, and why not store your secrets there as well?

This is not a secret that I own. This is a token owned by the org installing the app to their repo, and my app needs it to authenticate to the third-party API.

Ah. I’d file a ticket to:
https://support.github.com

I suspect that this isn’t a supported use case ATM. It wouldn’t shock me if it won’t be.

You could provide an action/workflow which would allow repositories to run your action and give you the required secret.

For perspective, here’s how GitHub’s Dependabot handles this:

Note that it doesn’t use normal secrets. They’ve created an entire unrelated secret store. Conceptually, this would be equivalent to you offering to manage secrets for your customers.