Configuring Secrets
Bucky uses secrets in two contexts: the code review workflow (GitHub Actions) and session pods (EKS). Each has its own mechanism.
Code review workflow (GitHub Actions)
Section titled “Code review workflow (GitHub Actions)”The code review workflow runs on GitHub Actions and authenticates with external services using GitHub secrets.
Repository-level secrets
Section titled “Repository-level secrets”Set these in Settings > Secrets and variables > Actions > Repository secrets:
| Secret | Purpose |
|---|---|
SOURCEGRAPH_TOKEN | Code search via Sourcegraph MCP |
Organization-level variables
Section titled “Organization-level variables”These are set at the GitHub org level and inherited by all repos. They’re already configured at Fetch — you don’t need to set them.
| Variable | Purpose |
|---|---|
BUCKY_APP_ID | GitHub App ID for cross-repo access |
BUCKY_APP_PRIVATE_KEY | GitHub App private key |
BUCKY_IAM_ROLE | AWS IAM role ARN for Bedrock authentication |
ARTIFACTORY_NPM_PROD_TOKEN | NPM registry token (web preset) |
ARTIFACTORY_GOPROXY | Go proxy URL (golang preset) |
ARTIFACTORY_PROD_REPO | NPM registry URL (web preset) |
BUF_ACCESS_TOKEN_SECRET_ARN | Buf token ARN for protobuf (web preset) |
Session pods (EKS)
Section titled “Session pods (EKS)”Session pods receive credentials from the agent service directly — they don’t use GitHub Actions secrets. To inject your own secrets into session pods, use sm:// references in .bucky/config.yaml:
version: 1env: DATABASE_URL: "postgres://localhost:5432/mydb" # plain value MY_API_KEY: "sm://my-team/api-key" # resolved from Secrets Manager DD_API_KEY: "sm://arn:aws:secretsmanager:us-east-1:123456789:secret:datadog-key"The agent resolves sm:// references from AWS Secrets Manager at dispatch time and injects the values securely via Kubernetes Secrets. See Repo Configuration for full details.