Data anonymization with GitHub Actions

This page shows how to automate data anonymization with GitHub Actions. For conceptual overview and usage instructions, see Data Anonymization.

Automate anonymized branch creation using the Neon Create Branch Action. The masking_rules input lets you define masking rules directly in your workflow, creating an anonymized branch in a single step.

1. Requirements

   Before setting up the workflow:

   • A Neon project with a populated parent branch
   • The following GitHub repository secrets:
     • NEON_PROJECT_ID
     • NEON_API_KEY

   tip

   The Neon GitHub integration configures these secrets automatically. See Neon GitHub integration.

2. Set up the workflow

   Create a file at .github/workflows/create-anon-branch.yml with the following content:

   name: Create Anonymized Branch for PR
   
   on:
     pull_request:
       types: [opened, reopened]
   
   jobs:
     create-anon-branch:
       runs-on: ubuntu-latest
       steps:
         - name: Create anonymized branch
           uses: neondatabase/create-branch-action@v6
           id: create-branch
           with:
             project_id: ${{ secrets.NEON_PROJECT_ID }}
             branch_name: anon-pr-${{ github.event.number }}
             api_key: ${{ secrets.NEON_API_KEY }}
             masking_rules: |
               [
                 {
                   "database_name": "neondb",
                   "schema_name": "public",
                   "table_name": "users",
                   "column_name": "email",
                   "masking_function": "anon.dummy_free_email()"
                 },
                 {
                   "database_name": "neondb",
                   "schema_name": "public",
                   "table_name": "users",
                   "column_name": "first_name",
                   "masking_function": "anon.fake_first_name()"
                 },
                 {
                   "database_name": "neondb",
                   "schema_name": "public",
                   "table_name": "users",
                   "column_name": "last_name",
                   "masking_function": "anon.fake_last_name()"
                 }
               ]
   
         - name: Output branch details
           run: |
             echo "Branch ID: ${{ steps.create-branch.outputs.branch_id }}"
             echo "Database URL: ${{ steps.create-branch.outputs.db_url }}"

   The masking_rules input accepts a JSON array where each rule specifies:

   Field	Description
   database_name	Target database (e.g., neondb)
   schema_name	Target schema (typically public)
   table_name	Table containing sensitive data
   column_name	Column to mask
   masking_function	PostgreSQL Anonymizer function to apply

   For available masking functions, see PostgreSQL Anonymizer documentation or the Manage masking rules section of the main guide.

   note

   The masking_rules input creates a new anonymized branch. Masking rules cannot be applied to existing branches.

3. Testing the workflow

   1. Customize and push the workflow file to your repository
   2. Open a new pull request
   3. Check the Actions tab to monitor workflow execution
   4. Verify the anonymized branch in the Neon Console or connect to it to confirm data is masked

4. Clean up branches

   Clean up anonymized branches when no longer needed. Automate this with the delete-branch-action when PRs close:

   name: Delete Branch on PR Close
   
   on:
     pull_request:
       types: closed
   
   jobs:
     delete-branch:
       runs-on: ubuntu-latest
       steps:
         - name: Delete anonymized branch
           uses: neondatabase/delete-branch-action@v3
           with:
             project_id: ${{ secrets.NEON_PROJECT_ID }}
             branch: anon-pr-${{ github.event.number }}
             api_key: ${{ secrets.NEON_API_KEY }}