How to Migrate Secrets to GitHub Actions
Every CI system stores secrets differently, but they all map to repository, environment, or organization secrets in Actions referenced through the secrets context.
Inventory the secrets in your current tool, recreate them as repository, environment, or organization secrets, then reference secrets.NAME in workflows. Use environment secrets to scope credentials per deploy target.
Concept mapping
| Source | GitHub Actions |
|---|---|
Travis secure env | repository secret |
| GitLab masked/protected variables | repository or environment secret |
| CircleCI context | organization secret |
| Jenkins credentials | repository/environment secret |
Set and reference
Terminal
# create the secret with the GitHub CLI
gh secret set NPM_TOKEN --body "$TOKEN" --repo my-org/my-repoWorkflow
.github/workflows/publish.yml
jobs:
publish:
runs-on: ubuntu-latest
environment: production
steps:
- run: npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}What does not map cleanly
- Actions never prints secrets and masks them in logs, but a secret written to
$GITHUB_ENVor echoed can still leak once; mask computed values. - Fork pull requests get no secrets, so credentialed steps must run off protected branches.
- Organization secrets need a visibility policy to reach the right repositories.
Related guides
How to Migrate Jenkins Credentials to GitHub Actions SecretsMove Jenkins credentials and the withCredentials block to GitHub Actions repository or environment secrets re…
CI Concept Mapping to GitHub ActionsA cross-tool mapping of common CI concepts (matrix, cache, artifacts, secrets, services, conditionals, manual…