If you like waking up to support tickets and emergency rotates then by all means skip this guide. If you prefer not to leak API keys into logs and wallpaper your repo with compromised tokens then keep reading. GitHub Actions secrets are the basic tool for secrets management in GitHub based CI CD pipelines. They let your workflows use sensitive values without plastering them into your code or job logs.
For most teams the web UI is the easiest option. Open repository settings or organization settings and add a secret using the Secrets panel. The web UI encrypts the value so the raw secret never sits in plain text on GitHub. This is the safe and boring route and it works for the majority of use cases.
If you automate secret provisioning with scripts or use a tool like Terraform you will use the REST API or the GitHub CLI. The GitHub REST API expects an already encrypted blob when you create or update a secret. That means you must fetch the repository or organization public key and encrypt the value before sending it to the API. The API endpoints include the public key resources for repos and orgs so automation can do this in a reproducible way.
In short automation needs to respect the public key step. The UI hides that for you. The CLI makes it painless.
Want to avoid writing crypto code and still automate things Use the GitHub CLI for most tasks. It wraps the encryption and the API request so you do not have to wrestle with libsodium directly.
# create or update a repo secret with the GH CLI
gh secret set MY_SECRET --body 'super secret value'
Inside a workflow use the secrets context like this
steps:
- name: Use secret
run: echo "Placeholder not the real secret"
env:
MY_API_KEY: $
Pass secrets into environment variables or to commands carefully. Use clear environment variable names so it is obvious what must never be printed. Avoid echoing secrets or writing them to files that will be archived in artifacts.
Run a dry job that sets placeholder values to confirm the secret name, path, and permissions are correct. Replace the placeholder with the real secret only after the job flow is validated. If a step might print something use masked outputs or conditional logic to suppress the value. GitHub Actions can mask values but it is not a magic bullet. Masking will hide matches in logs but it will not prevent a script from intentionally or accidentally posting the secret elsewhere.
Use repository level secrets for project specific keys and organization level secrets for credentials shared across many repos. Organization secrets let you restrict access by repository so you keep some control. Your choice will depend on least privilege and your DevOps workflows.
GitHub Actions secrets give you a solid way to keep CI CD credentials out of source code and logs. Use the UI when you can and the GitHub CLI when you need automation. If you must use the API remember to fetch the public key and encrypt with a libsodium sealed box before you send anything. Test with placeholders and mask any output that might reveal a value. Follow these steps and you will reduce the chance of waking up to a support incident that starts with the words sorry we leaked your token.
I know how you can get Azure Certified, Google Cloud Certified and AWS Certified. It's a cool certification exam simulator site called certificationexams.pro. Check it out, and tell them Cameron sent ya!
This is a dedicated watch page for a single video.