What Is a GitHub Actions Secret?
A secret is an encrypted value, such as an API key or password, that workflows can read but that GitHub keeps out of logs.
Pipelines often need credentials. Secrets let you store sensitive values at the repository, environment, or organization level so workflows can use them without exposing them in code or logs.
What it is
A secret is an encrypted key-value pair stored in GitHub settings. Workflows access it through the secrets context, and GitHub automatically masks its value in logs.
steps:
- run: ./deploy.sh
env:
API_KEY: ${{ secrets.API_KEY }}How it works
Secrets are encrypted at rest and injected only into the steps that reference them. If a secret value appears in log output, GitHub replaces it with asterisks.
Scopes
- Repository secrets are available to that repo's workflows.
- Organization secrets can be shared across repos.
- Environment secrets are gated behind environment rules.
Why it matters
Secrets keep credentials out of source control and CI logs. Pairing them with environment protection rules adds approval gates around the most sensitive values.
Related concepts
Secrets complement GITHUB_TOKEN, are often scoped via environments, and can frequently be replaced with OIDC for cloud auth.
Key takeaways
- A secret is an encrypted variable masked in logs.
- Scopes are repository, organization, and environment.
- Read them with
${{ secrets.NAME }}.