Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From github-it-admin
Promote a repo-scoped GitHub secret to org scope (visibility=selected). Use when a secret currently exists at gh-repo scope but is needed at gh-org for the OSEC1 parity table. Operator-paste required because the gh API is write-only on secret values.
npx claudepluginhub subagentceo/knowledge-engineering --plugin github-it-adminHow this skill is triggered — by the user, by Claude, or both
Slash command
/github-it-admin:secret-promoteThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- During OSEC1 audit: `npm run verify:secrets` reports a secret as missing on `gh_org` but present on `gh_repo`.
Guides technical evaluation of code review feedback: read fully, restate for understanding, verify against codebase, respond with reasoning or pushback before implementing.
Share bugs, ideas, or general feedback.
npm run verify:secrets reports a secret as missing on gh_org but present on gh_repo.GitHub's API is write-only on secret values — gh secret list returns names + timestamps but never values. So a script cannot read-then-write to promote; the operator has to paste once.
This skill provides the scaffolded paste flow + read-after-write verify so the promotion isn't silent if it fails.
bash "${CLAUDE_PLUGIN_ROOT}/skills/secret-promote/scripts/promote.sh" <SECRET_NAME>
Behavior:
SECRET_NAME from $1.pbpaste (operator copies the value from wherever they re-fetched it — vendor dashboard, not from gh).gh secret set --org ${user_config.gh_org} --visibility selected --repos ${user_config.gh_repo} <NAME>.gh secret list --org and asserts the new name is present with a fresh timestamp.bash "${CLAUDE_PLUGIN_ROOT}/skills/secret-promote/scripts/list-scope-split.sh"
Prints a table of every secret in the OSEC1 parity table showing org-scope + repo-scope status.
Out of scope for this skill — use the vendor-specific CRUD skills in macos-it-admin/ for value rotation, and gh secret delete for removal.
read -p for the value (echoes to scrollback). Use pbpaste.updatedAt timestamp before exiting clean.gh secret set exits non-zero, do not wipe clipboard (operator may need to retry).| ID | Outcome | Verified by |
|---|---|---|
| OIT2-prom-1 | promote.sh reads from pbpaste, not read -p | conformance test |
| OIT2-prom-2 | list-scope-split.sh cross-references against docs/data/secrets-parity.json (OSEC1) | conformance test |
@cite docs/decisions/2026-05-17-secrets-parity.md (OSEC1) @cite docs/decisions/2026-05-17-secret-store-tiers.md (OSEC2) @cite docs/data/secrets-parity.json