diff --git a/README.md b/README.md
index 3d5bcf2..5fa51fe 100644
--- a/README.md
+++ b/README.md
@@ -71,13 +71,16 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [github_repository.repo](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
+| [github_actions_secret.this](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
+| [github_repository.this](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_environment_secrets"></a> [environment\_secrets](#input\_environment\_secrets) | A map of environment-scoped secrets | `map(any)` | `{}` | no |
 | <a name="input_repository"></a> [repository](#input\_repository) | The full name of the repository in the form org/repo | `string` | n/a | yes |
+| <a name="input_secrets"></a> [secrets](#input\_secrets) | A map of secret definitions | `map(any)` | `{}` | no |
 
 ## Outputs
 
diff --git a/data.tf b/data.tf
index bbaef95..5cd3830 100644
--- a/data.tf
+++ b/data.tf
@@ -1,3 +1,3 @@
-data "github_repository" "repo" {
+data "github_repository" "this" {
   full_name = var.repository
 }
diff --git a/example/main.tf b/example/main.tf
new file mode 100644
index 0000000..2343a02
--- /dev/null
+++ b/example/main.tf
@@ -0,0 +1,32 @@
+module "env" {
+  source  = "tbobm/environments/github"
+  version = "1.0.0"
+
+  repository = "tbobm/terraform-github-secrets"
+
+  environments = {
+    "staging"    = {}
+    "production" = {}
+  }
+}
+
+module "secrets" {
+  source = "../"
+
+  repository = "tbobm/terraform-github-secrets"
+
+  secrets = {
+    deploy_key = {
+      name      = "DEPLOY_KEY"
+      plaintext = "ABCDEF"
+    }
+    registry_username = {
+      name      = "DOCKERHUB_USERNAME"
+      plaintext = "sampleuser"
+    }
+    registry_password = {
+      name      = "DOCKERHUB_PASSWORD"
+      plaintext = "samplepass"
+    }
+  }
+}
diff --git a/locals.tf b/locals.tf
new file mode 100644
index 0000000..a102139
--- /dev/null
+++ b/locals.tf
@@ -0,0 +1,6 @@
+locals {
+  secrets = {
+    for key, value in var.secrets :
+    key => value
+  }
+}
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..3e5f289
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,7 @@
+resource "github_actions_secret" "this" {
+  for_each = local.secrets
+
+  repository      = data.github_repository.this.name
+  secret_name     = each.value.name
+  plaintext_value = each.value.plaintext
+}
diff --git a/variables.tf b/variables.tf
index bd3c990..c2aef64 100644
--- a/variables.tf
+++ b/variables.tf
@@ -2,3 +2,15 @@ variable "repository" {
   type        = string
   description = "The full name of the repository in the form org/repo"
 }
+
+variable "secrets" {
+  type        = map(any)
+  description = "A map of secret definitions"
+  default     = {}
+}
+
+variable "environment_secrets" {
+  type        = map(any)
+  description = "A map of environment-scoped secrets"
+  default     = {}
+}