Skip to content
Latchkey

How to Migrate Secrets to GitHub Actions

Every CI system stores secrets differently, but they all map to repository, environment, or organization secrets in Actions referenced through the secrets context.

Inventory the secrets in your current tool, recreate them as repository, environment, or organization secrets, then reference secrets.NAME in workflows. Use environment secrets to scope credentials per deploy target.

Concept mapping

SourceGitHub Actions
Travis secure envrepository secret
GitLab masked/protected variablesrepository or environment secret
CircleCI contextorganization secret
Jenkins credentialsrepository/environment secret

Set and reference

Terminal
# create the secret with the GitHub CLI
gh secret set NPM_TOKEN --body "$TOKEN" --repo my-org/my-repo

Workflow

.github/workflows/publish.yml
jobs:
  publish:
    runs-on: ubuntu-latest
    environment: production
    steps:
      - run: npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

What does not map cleanly

  • Actions never prints secrets and masks them in logs, but a secret written to $GITHUB_ENV or echoed can still leak once; mask computed values.
  • Fork pull requests get no secrets, so credentialed steps must run off protected branches.
  • Organization secrets need a visibility policy to reach the right repositories.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →