How to Store a GitHub App Private Key and App ID as Secrets
Put the PEM private key in an encrypted secret and the App id in a variable, then reference both from the token action.
The App id is not sensitive and fits an Actions variable. The PEM private key is a credential and belongs in an encrypted secret at repo or org level. Prefer org-level secrets so many repos share one rotation point.
Steps
- Add the full PEM (including header and footer lines) as
APP_PRIVATE_KEYsecret. - Add the numeric App id as
APP_IDvariable. - Reference
secrets.APP_PRIVATE_KEYandvars.APP_IDin the token action.
Set them with the CLI
Terminal
# App id is not a secret; store as a variable
gh variable set APP_ID --body "123456"
# Private key is sensitive; store the whole PEM as a secret
gh secret set APP_PRIVATE_KEY < app-private-key.pemGotchas
- Paste the entire PEM including the BEGIN and END lines and newlines.
- Delete the local .pem after uploading; do not commit it.
- Rotate the key by generating a new one in App settings and updating the secret.
Related guides
How to Set GitHub App Permissions and Install It for CIConfigure a GitHub App with least-privilege repository permissions and install it on the repos your CI needs,…
How to Rotate GitHub Tokens and App Keys Used by CIRotate the credentials CI depends on, from PATs to GitHub App private keys, on a schedule and after any suspe…