codingstuff.io
ExploreTutorialsProblemsCS Subjects
Get Started
ExploreTutorialsProblemsCS Subjects
Get Started
codingstuff.io

Master the art of building software through interactive tutorials, real-world problems, and guided projects.

Pune, Maharashtra, India

codingstuffmail@gmail.com

Product

  • Explore
  • Tutorials
  • Problems
  • CS Subjects

Company

  • About
  • Contact
  • Privacy Policy
  • Terms & Conditions
  • Sitemap

© 2026 codingstuff.io. All rights reserved.

Built with ❤️ for developers everywhere

/
/
All Tutorials
📦

Git & GitHub

31 / 63 topics
29Introduction to GitHub Actions30Creating and Managing Workflows31Using Secrets in GitHub Actions32Using Dependabot for Dependency Management33Code Review Best Practices on GitHub34Collaborating with Others on GitHub
Tutorials/Git & GitHub/Using Secrets in GitHub Actions
📦Git & GitHub

Using Secrets in GitHub Actions

Updated 2026-04-20
3 min read

Using Secrets in GitHub Actions

Introduction

GitHub Actions is a powerful automation tool that allows you to automate, customize, and execute your software workflows right in your repository. One of the critical aspects of using GitHub Actions is securely managing sensitive information such as API keys, tokens, and other credentials. This guide will walk you through how to use secrets in GitHub Actions, ensuring that your workflows are secure and efficient.

Understanding Secrets

Secrets in GitHub Actions are encrypted environment variables that you can store in your repository or organization settings. These secrets are then accessible by your workflows during runtime. Using secrets helps prevent sensitive information from being hard-coded into your workflow files, reducing the risk of security breaches.

Types of Secrets

  1. Repository Secrets: These are secrets stored at the repository level and are accessible to all workflows in that specific repository.
  2. Organization Secrets: These are secrets stored at the organization level and can be accessed by any repository within the organization.
  3. Environment Secrets: These are secrets scoped to a specific environment within a repository, allowing for more granular access control.

Creating Secrets

Repository Secrets

To create a repository secret:

  1. Navigate to your repository on GitHub.
  2. Click on "Settings" in the sidebar.
  3. Under "Security," click on "Secrets and variables."
  4. Select "Actions" from the left sidebar.
  5. Click on "New repository secret."
  6. Enter a name for the secret and its value.
  7. Click "Add secret."

Organization Secrets

To create an organization secret:

  1. Navigate to your organization settings on GitHub.
  2. Under "Security," click on "Secrets and variables."
  3. Select "Actions" from the left sidebar.
  4. Click on "New organization secret."
  5. Enter a name for the secret, select the repositories that can access it, and enter its value.
  6. Click "Add secret."

Environment Secrets

To create an environment secret:

  1. Navigate to your repository on GitHub.
  2. Click on "Settings" in the sidebar.
  3. Under "Environments," click on the environment you want to add a secret to.
  4. Scroll down to "Secrets and variables."
  5. Click on "New repository secret."
  6. Enter a name for the secret and its value.
  7. Click "Add secret."

Using Secrets in Workflows

Once you have created your secrets, you can use them in your GitHub Actions workflows. Here’s how:

Accessing Secrets

Secrets are accessed using the secrets context in your workflow files. For example, if you have a secret named MY_SECRET, you can access it like this:

steps:
  - name: Use Secret
    run: echo ${{ secrets.MY_SECRET }}

Example Workflow

Here’s an example of a GitHub Actions workflow that uses a secret to authenticate with a third-party API:

name: Deploy to Production

on:
  push:
    branches:
      - main

jobs:
  deploy:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up Node.js
        uses: actions/setup-node@v2
        with:
          node-version: '14'

      - name: Install dependencies
        run: npm install

      - name: Deploy to Production
        env:
          API_KEY: ${{ secrets.PRODUCTION_API_KEY }}
        run: |
          curl --header "Authorization: Bearer $API_KEY" \
               --data '{"key":"value"}' \
               https://api.example.com/deploy

In this example, the PRODUCTION_API_KEY secret is used to authenticate a deployment request to a third-party API.

Best Practices

  1. Limit Secret Scope: Always limit the scope of your secrets to the minimum necessary. Use environment secrets when possible to restrict access.
  2. Rotate Secrets Regularly: Regularly rotate your secrets to minimize the risk of unauthorized access.
  3. Avoid Hardcoding: Never hardcode sensitive information directly in your workflow files or commit them to your repository.
  4. Use Actions for Security: Leverage GitHub’s built-in security features, such as Dependabot and secret scanning, to help manage and protect your secrets.

Conclusion

Using secrets in GitHub Actions is a crucial step in securing your workflows and protecting sensitive information. By following the best practices outlined in this guide, you can ensure that your GitHub Actions are both secure and efficient. Remember to regularly review and update your secrets to maintain optimal security posture.


PreviousCreating and Managing WorkflowsNext Using Dependabot for Dependency Management

Recommended Gear

Creating and Managing WorkflowsUsing Dependabot for Dependency Management