Lots of little bits of digging I had to do to get Vault working with Github Actions. But, quick summary of how I got it working, using wmb as an example (my webhook-to-IRC bot).

Inside a job, you can add this:

- name: Retrieve wmb info from vault
    id: import-secrets-wmb
    uses: hashicorp/vault-action@v3.1.0
    with:
    url: ${{ secrets.VAULT_ADDR }}
    method: approle
    roleId: ${{ secrets.VAULT_ROLE_ID }}
    secretId: ${{ secrets.VAULT_SECRET_ID }}
    secrets: |
        kv/data/pipeline/wmb WMB_URL ;
        kv/data/pipeline/wmb WMB_PASSWORD
    exportEnv: true

Then, access the secrets in the job like this:

- name: Notify IRC on Success
    run: |
    export COMMIT_MSG=$(git log -1 --pretty=%B)
    export MESSAGE="Build and push of ghcr.io/${{ github.repository }}:staging completed with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
    curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 3}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }}
    if: success()

- name: Notify IRC on Failure
    run: |
    export COMMIT_MSG=$(git log -1 --pretty=%B)
    export MESSAGE="Build and push of ghcr.io/${{ github.repository }}:staging failed with commit message: $COMMIT_MSG. See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
    curl -X POST -H "Content-Type: application/json" -d "{\"message\": \"$MESSAGE\", \"password\": \"${{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }}\", \"colourcode\": 4}" ${{ steps.import-secrets-wmb.outputs.WMB_URL }}
    if: failure()

So in summary for accessing the secrets, put in {{ steps.import-secrets-wmb.outputs.WMB_URL }} and {{ steps.import-secrets-wmb.outputs.WMB_PASSWORD }} to access inside other steps of the job.

The biggest thing I noted was needing to add the ; and have each secret on a newline when accessing multiple secrets, specifically

secrets: |
            kv/data/pipeline/wmb WMB_URL ;
            kv/data/pipeline/wmb WMB_PASSWORD

And now just set the VAULT_ADDR, VAULT_ROLE_ID, and VAULT_SECRET_ID in the repo secrets for GH actions, and you're good to go.