W
← Blog/github-actionssecretssecurity

GitHub Actions Secrets and Environments

Sanjeev SharmaSanjeev Sharma
2 min read

Advertisement

GitHub Actions Secrets and Environments

Securely manage credentials and configuration across different deployment environments in GitHub Actions.

Introduction

Secrets and Environments enable safe credential management and environment-specific configurations in CI/CD workflows.

Managing Secrets

Creating Repository Secrets

Store in Settings → Secrets → Actions:

# Via GitHub CLI
gh secret set MY_SECRET --body "secret-value"
gh secret set DATABASE_PASSWORD --body "$(cat password.txt)"

Using Secrets in Workflows

steps:
- name: Deploy
  env:
    DB_PASSWORD: ${{ secrets.DATABASE_PASSWORD }}
    API_KEY: ${{ secrets.API_KEY }}
  run: |
    echo "Connecting to database"
    curl -H "Authorization: Bearer $API_KEY" https://api.example.com

Secret Best Practices

  1. Never log secrets
  2. Use masked secrets
  3. Rotate regularly
  4. Use environment-specific secrets
  5. Limit secret access
steps:
- name: Deploy
  run: |
    # Secret automatically masked in logs
    echo ${{ secrets.API_KEY }}  # Output: ***

Environments

Creating Environments

Settings → Environments → New environment:

  • Development
  • Staging
  • Production

Environment Secrets

env:
  DATABASE_URL: ${{ secrets.DATABASE_URL }}

jobs:
  deploy:
    environment:
      name: production
    steps:
    - name: Deploy
      env:
        PROD_SECRET: ${{ secrets.PROD_SECRET }}
      run: ./deploy.sh

Required Reviewers

jobs:
  deploy-prod:
    environment:
      name: production
      url: https://example.com
    steps:
    - run: echo "Deploying to production"

Set environment protection rules:

  • Require deployment reviews
  • Restrict branch access

Advanced Patterns

Multi-Environment Workflow

name: Deploy

on: push

jobs:
  deploy-dev:
    runs-on: ubuntu-latest
    environment: development
    steps:
    - name: Deploy to dev
      env:
        AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
        API_KEY: ${{ secrets.DEV_API_KEY }}
      run: ./scripts/deploy-dev.sh

  deploy-prod:
    needs: deploy-dev
    runs-on: ubuntu-latest
    environment: production
    if: github.ref == 'refs/heads/main'
    steps:
    - name: Deploy to prod
      env:
        AWS_REGION: ${{ secrets.PROD_AWS_REGION }}
        API_KEY: ${{ secrets.PROD_API_KEY }}
      run: ./scripts/deploy-prod.sh

Using OpenID Connect (OIDC)

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    steps:
    - uses: actions/checkout@v3
    - name: Assume AWS role
      uses: aws-actions/configure-aws-credentials@v2
      with:
        role-to-assume: arn:aws:iam::ACCOUNT:role/GitHubRole
        aws-region: us-east-1
        role-session-name: GitHubActionSession

FAQ

Q: Can I use organization-level secrets? A: Yes. Organization members can create secrets visible to all repositories in the organization.

Q: How do I rotate secrets? A: Update the secret value in GitHub. Workflows will use the new value on next run.

Q: Are secrets encrypted? A: Yes, GitHub encrypts secrets at rest and in transit. Only accessible in authenticated workflows.

Advertisement

Sanjeev Sharma

Written by

Sanjeev Sharma

Full Stack Engineer · E-mopro

twitterlinkedingithubmail

← Previous

GitHub Actions for Node.js — Deploy to Vercel

Next →

GitHub Actions vs Jenkins vs GitLab CI