This GitHub Actions workflow rotates or updates a GHCR Docker registry secret across multiple Kubernetes namespaces in a GKE cluster. It is designed as a reusable template for securely managing image pull secrets.
The workflow:
- Authenticates to GKE
- Connects to the Kubernetes cluster
- Creates or updates the
ghcr-secretin specified namespaces - Supports manual approval via GitHub Environments
- Manual trigger via GitHub Actions UI
- Multi-namespace secret rotation
- Idempotent secret update (create or replace)
- GKE authentication via service account
- Environment approval support
Configure the following repository secrets:
GKE_KEY # GCP service account JSON key
GHCR_USERNAME # GitHub Container Registry username
GHCR_PAT # GitHub personal access token
Create the workflow file:
.github/workflows/rotate-secret.yaml
Paste the workflow YAML into this file.
- Go to Repository → Settings → Environments
- Create an environment named:
prod
- Add Required reviewers to enforce approval before execution for authorized runs
- Go to Actions → Rotate GHCR imagePullSecrets
- Click Run workflow
- Enter namespaces as comma-separated values:
dev,staging,prod
For each namespace:
- If
ghcr-secretdoes not exist → it is created - If it already exists → it is updated with new credentials
This ensures consistent secret rotation across environments.
You should modify:
- Cluster name and region in the workflow
- Secret name
- Docker registry settings
- Namespace input handling