Skip to content
Latchkey

How to Segregate Production Credentials in CI

Binding production secrets to a protected environment means only a job that names that environment (and passes its gate) can ever read them.

Production credentials should never be reachable from a pull request build or a test job. GitHub environment secrets solve this: they are visible only to jobs that declare the environment, which can require approval first. This page is educational configuration guidance.

Steps

  • Store production credentials as environment secrets, not repository secrets.
  • Protect that environment with required reviewers and branch restrictions.
  • Reference the environment only from the deploy job, never from build or test.

Gated deploy job

.github/workflows/deploy.yml
jobs:
  test:
    runs-on: ubuntu-latest       # no environment, cannot see prod secrets
    steps:
      - run: npm test
  deploy:
    needs: test
    runs-on: ubuntu-latest
    environment: production      # prod secrets are scoped here only
    steps:
      - run: ./deploy.sh
        env:
          PROD_DB_URL: ${{ secrets.PROD_DB_URL }}

Notes

  • A test job with no environment simply has no access to the production secret.
  • Restrict the environment to the default branch so forks cannot trigger prod access.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →