Skip to content
Latchkey

How to Store a GitHub App Private Key and App ID as Secrets

Put the PEM private key in an encrypted secret and the App id in a variable, then reference both from the token action.

The App id is not sensitive and fits an Actions variable. The PEM private key is a credential and belongs in an encrypted secret at repo or org level. Prefer org-level secrets so many repos share one rotation point.

Steps

  • Add the full PEM (including header and footer lines) as APP_PRIVATE_KEY secret.
  • Add the numeric App id as APP_ID variable.
  • Reference secrets.APP_PRIVATE_KEY and vars.APP_ID in the token action.

Set them with the CLI

Terminal
# App id is not a secret; store as a variable
gh variable set APP_ID --body "123456"

# Private key is sensitive; store the whole PEM as a secret
gh secret set APP_PRIVATE_KEY < app-private-key.pem

Gotchas

  • Paste the entire PEM including the BEGIN and END lines and newlines.
  • Delete the local .pem after uploading; do not commit it.
  • Rotate the key by generating a new one in App settings and updating the secret.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →