Skip to main content

Preparing Deployment Credentials

To deploy a Walrus Site through a GitHub Actions workflow, the workflow must sign Sui transactions on your behalf. This requires 2 credentials: a private key stored as an encrypted GitHub secret, and the corresponding Sui address stored as a GitHub variable.

Exporting your private key

Use a separate Sui address for each GitHub workflow rather than sharing one address across multiple projects. A dedicated address provides 2 key benefits:

  • Security isolation: A compromise of one workflow does not expose keys used elsewhere.
  • No equivocation: When multiple concurrent workflow runs share an address, they compete for the same gas coins. Sui rejects duplicate coin references in the same checkpoint, causing transaction failures. A dedicated address eliminates this risk. See Avoiding Equivocation for details.

The Sui CLI stores all local keys in ~/.sui/sui_config/sui.keystore as a JSON array of Base64-encoded strings. You can use an existing key from this file or generate a new one.

To use an existing key, run the following command to look up the Sui address that corresponds to a key in your keystore:

$ sui keytool unpack "<base64-key-from-sui.keystore>"

To generate a new key, run the following command to generate a new key pair:

$ sui keytool generate ed25519

You can substitute ed25519 with secp256k1 or secp256r1 depending on your preferred signature scheme.

The command creates a file in your current directory named after the new Sui address, for example 0x123...abc.key. The filename is your Sui address. Copy the filename, you need it later for the SUI_ADDRESS variable.

Open the .key file. Its content is the private key in base64WithFlag format. This value is what you use for the SUI_KEYSTORE secret.

Funding your deployment address

Before any workflow can deploy a site, the address needs SUI tokens to pay network gas fees and WAL tokens to pay for storage. For instructions on acquiring both, refer to Getting Started with Walrus.

Adding credentials to GitHub

With your key and address ready, store them in your GitHub repository. The private key goes into an encrypted secret; the public address goes into a plain variable.

  1. Navigate to your GitHub repository and click the Settings tab.
  2. In the left sidebar, click Secrets and variables, then select Actions.
  3. Open the Secrets tab and click New repository secret.
  4. Set the name to SUI_KEYSTORE.
  5. In the Value field, paste your base64WithFlag key wrapped as a JSON array:
["AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"]
caution

The value must be a JSON array containing a single string element. Include the square brackets and quotation marks exactly as shown. A raw key string without the array wrapper causes authentication to fail.

  1. Click Add secret.
  2. Switch to the Variables tab and click New repository variable.
  3. Set the name to SUI_ADDRESS.
  4. In the Value field, paste the Sui address that corresponds to your private key, for example 0x123abc...def789.
  5. Click Add variable.
danger

Never commit your private key to version control or share it in plain text. GitHub secrets are encrypted at rest and are only exposed to authorized workflow runs. Verify you are on the correct repository before saving.

Next steps

With your credentials stored, you are ready to write the workflow file that uses them. See Creating a GitHub Actions Workflow for Walrus Sites for complete workflow examples and a reference of all action inputs.