GitHub Actions

In this tutorial you will learn how to use GitHub Actions to automatically deploy policy changes to ArcGIS Server.

Currently, your changes are stored in GitHub after you commit and push them, but ArcGIS Enterprise is not synchronized. Thus, you have to create a GitHub Action to synchronize changes automatically when a new commit is pushed.

This tutorial was tested for ArcGIS Enterprise 11.5 in December, 2025.

Prerequisites

Check the preconditions for this tutorial:

VS Code is installed on your local machine.
You have a GitHub account.
You have administrative privileges to security.manager NEXT.
You have a GitHub repository as described in Set up a GitHub Repository.

Create GitHub Secrets

To authenticate the GitHub Action, some administrative credentials are needed. Never commit credentials directly to repository files where other people can read them. Create GitHub Secrets instead to store the credentials.

Go to your GitHub repository web interface.
Click on Settings tab.
In the left sidebar, click Secrets and variables > Actions.
Click New repository secret.

Create the following secrets for an administrative user who has permission to modify security.manager policies:

Secret Name Description

Secret Name	Description
`ARCGIS_USERNAME`	Administrative username for ArcGIS Enterprise Portal (for federated servers) or ArcGIS Server (for standalone servers)
`ARCGIS_PASSWORD`	Password for the administrative user
`ARCGIS_SERVER_URL`	URL to your ArcGIS Server with port (e.g., `https://arcgis.example.com:6443/arcgis`)

ARCGIS_USERNAME

Administrative username for ArcGIS Enterprise Portal (for federated servers) or ArcGIS Server (for standalone servers)

ARCGIS_PASSWORD

Password for the administrative user

ARCGIS_SERVER_URL

URL to your ArcGIS Server with port (e.g., https://arcgis.example.com:6443/arcgis)

Create the workflow directory

Store all files for the GitHub Actions workflow in a folder .github/workflows.

In VS Code, create a new folder .github in the repository root.
Inside .github, create a subfolder named workflows.

Your structure should now include:

security-manager-policies/
├── .github/
│   └── workflows/
├── policies/
│   └── services/
│       └── SampleWorldCities.json
└── README.md

Create the workflow file

Create the workflow file for automated policy synchronization.

In the workflows folder, create a file named sync-policies.yml. This file configures the workflow to synchronize the files after pushes or pull requests.

Add a name for the GitHub Action to the file. You can choose a name freely.

name: Sync Policies to security.manager

The action should run if pushes or pull requests appear to the main branch containing changes in the policies/** folder. So, add a trigger for both.

name: Sync Policies to security.manager

on:
  push:
    branches: [ main ]
    paths:
      - 'policies/**'
  pull_request:
    branches: [ main ]
    paths:
      - 'policies/**'

Add a job with the ID sync-policies that runs on the latest Ubuntu and an empty steps section.

name: Sync Policies to security.manager

on:
  push:
    branches: [ main ]
    paths:
      - 'policies/**'
  pull_request:
    branches: [ main ]
    paths:
      - 'policies/**'

jobs:
  sync-policies: (1)
    runs-on: ubuntu-latest (2)

    steps: (3)

1	ID of the job
2	The job is executed on the latest Ubuntu
3	An empty sequence of tasks

Now you have to define to use the downloaded repository code, Node and security.manager CLI.

jobs:
  sync-policies:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v4

    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '18'

    - name: Install security.manager CLI
      run: npm install -g @conterra/secmanctl

Add a step to authenticate and sync all policies to ArcGIS Enterprise. Use the security.manager CLI commands for these steps.

    - name: Authenticate and sync policies (1)
      env: (2)
        SM_USERNAME: ${{ secrets.ARCGIS_USERNAME }}
        SM_PASSWORD: ${{ secrets.ARCGIS_PASSWORD }}
        SM_SERVER_URL: ${{ secrets.ARCGIS_SERVER_URL }}
      run: | (3)
        # Authenticate with ArcGIS Server and get token
        TOKEN=$(secmanctl login -d "$SM_SERVER_URL" -u "$SM_USERNAME" -p "$SM_PASSWORD" --plain)

        # Sync the complete policies folder to ArcGIS Server
        secmanctl sync -f policies -d "$SM_SERVER_URL" -t "$TOKEN"

1	Name of the step.
2	Set some variables
3	Run a script with security.manager CLI commands

Add a step to report that the workflow has been finished and save the file.

    - name: Report sync results (1)
      if: always() (2)
      run: | (3)
        echo "Policy synchronization completed"
        echo "Check security.manager interface to verify policy updates"

1	Name of the step.
2	Run the step even if previous steps fail
3	Print some text

Your complete policy file should look like this.

name: Sync Policies to security.manager

on:
  push:
    branches: [ main ]
    paths:
      - 'policies/**'

  pull_request:
    branches: [ main ]
    paths:
      - 'policies/**'

jobs:
  sync-policies:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v4

    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '18'

    - name: Install security.manager CLI
      run: npm install -g @conterra/secmanctl

    - name: Authenticate and sync policies
      env:
        SM_USERNAME: ${{ secrets.ARCGIS_USERNAME }}
        SM_PASSWORD: ${{ secrets.ARCGIS_PASSWORD }}
        SM_SERVER_URL: ${{ secrets.ARCGIS_SERVER_URL }}
      run: |
        # Authenticate with ArcGIS Server and get token
        TOKEN=$(secmanctl login -d "$SM_SERVER_URL" -u "$SM_USERNAME" -p "$SM_PASSWORD" --plain)

        # Sync the complete policies folder to ArcGIS Server
        secmanctl sync -f policies -d "$SM_SERVER_URL" -t "$TOKEN"

    - name: Report sync results
      if: always()
      run: |
        echo "Policy synchronization completed"
        echo "Check security.manager interface to verify policy updates"

Commit and push changes

Commit and push the workflow to GitHub.

Go to the VS Code Source Control.
Review and add the changes.
Enter a commit message: Add GitHub Action for automated policy synchronization
Push changes to GitHub.

Verify configuration

Modify the policy file to test the automated workflow.

Open policies/services/SampleWorldCities.json in VS Code.

Make a small change, such as modifying a query condition:

"cities_username_filter":{
            "type": "feature",
            "query": "CITY_NAME LIKE UPPER(SUBSTRING('${user.username}', 1, 2)) || '%'"
        },

Commit and push the change to trigger the GitHub Action.
1. In VS Code Source Control view, stage the modified file.
2. Commit with message Update cities filter to the first two letters.
3. Push the changes to trigger the GitHub Action.

Now monitor the workflow execution.

Go to your GitHub repository.
Click the Actions tab.
You should see a workflow run titled Update cities filter to the first two letters.
Click on the workflow run to see execution details.
Monitor the steps: Setup, Install CLI, Validate, Sync, Report.

Verify the policy update in security.manager.

Log in to security.manager Manager UI.
Navigate to the SampleWorldCities service.
Check that the policy reflects your changes, that the city names have to match the first two letters of the username.
Test the service with a non-administrative user to ensure the updated restriction is applied.

Summary

In this tutorial, you learned how to set up automated policy synchronization using GitHub Actions. You stored credentials securely using GitHub Secrets and created a workflow for automated policy deployment.

Follow Policy validation to learn how to add policy validation to the action to avoid publishing invalid policies.