top of page

Part 2: CI/CD pipeline with MuleSoft and GitHub Actions - secured/encrypted properties


Other posts from this series:


In this post:


In the previous article, we learned the basics to get started with a simple CI/CD pipeline to deploy a Mule application to CloudHub. We learned how to create Secrets in GitHub for your Anypoint Platform credentials, how to set up the build.yml file to set up the workflows, how to run the pipeline and the details of each of the steps in the pipeline. If you haven’t gone through that, I highly recommend you do. The steps for this post won’t be as detailed.

In this post, we’ll see the steps to create a pipeline with GitHub Actions that will decrypt your secured properties in your Mule application. If you don’t have secured properties in your application, you may not need this configuration.


You should already have all the setup in your Mule application for the secured properties. In summary, this is what you should already have:

  • Your secure properties file(s) under src/main/resources

  • Your encrypted properties (see Encrypt Properties Using the Secure Properties Tool)

  • Your Secure Properties Config in Global Elements (secure-properties:config)

  • The name of your decryption key property (i.e., secure.key)

  • We recommend you add the key name to the mule-artifact.json file so it appears hidden in Runtime Manager (i.e., "secureProperties": ["secure.key"])

⚠️ Important: Make sure your Mule application is correctly configured and works locally before attempting to create the pipeline. Otherwise, you might encounter some issues.

Set up your credentials

In your GitHub repository, go to the Settings tab (make sure you are signed in to see it). Now go to Secrets and variables > Actions. Here you will be able to set up your repository secrets.

In the previous tutorial, we added two credentials:



For this part, we’re going to add a new one that will contain the decryption key.

Click on New repository secret. In the Name field, write DECRYPTION_KEY. In the Secret field, write the actual value of your key. For example, MyMuleSoftKey. Click Add secret.

You don’t have to change the name of this secret. We will keep it as-is because it will be used in the pipeline. I’ll show you later in the post where to modify the name of the property to match the one you have in your Mule application (like secure.key).

Set up your repo

In the last post, we learned how to set up our build.yml file under .github/workflows for the actual pipelines in GitHub. This time, we are going to be using the same base file, just adding a few modifications to include the new decryption key.

You can copy and paste the following code into this file.

As you can see, we added a new KEY variable that will get the decryption key from our secrets; and we are sending a -Ddecryption.key parameter into the maven command.

ℹ️ Note: If you add this manually to the maven command, don’t forget to add a backslash (\) in the previous line.

Modify your pom.xml

Go to your Mule application’s pom.xml file and locate the cloudHubDeployment configuration. You will need to add the following property:

ℹ️ Note: this is where the name of your actual property needs to be set. In our example, we are using secure.key. Modify this field to match the name of your property, but keep the decryption.key since we’re using that in the GitHub Action pipeline.


Your configuration should look something like this:

That’s all! Once you send these changes to the main branch, your pipeline will start running and deploying to CloudHub.

More resources

You can check out my GitHub profile for more CI/CD repos:

I hope this was helpful!

Don't forget to subscribe so you don't miss any future content.

2,610 views0 comments


bottom of page