How to Rotate Environment Secrets in GitHub Actions
gh secret set --env writes a new value to an environment secret, so rotation needs no workflow edit.
Run gh secret set <NAME> --env <environment> to overwrite the stored value, driven by a scheduled workflow that mints a fresh credential. The deploy workflow keeps reading secrets.<NAME> unchanged.
Steps
- Mint a new credential in a scheduled rotation workflow.
- Run
gh secret set <NAME> --env <environment> --body "$NEW". - Deploy jobs keep referencing
${{ secrets.<NAME> }}with no edit.
Workflow
.github/workflows/ci.yml
on:
schedule:
- cron: '0 4 1 * *' # monthly at 04:00 UTC
jobs:
rotate:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- run: |
NEW=$(./mint-credential.sh)
echo "::add-mask::$NEW"
gh secret set API_KEY --env production --body "$NEW"
env:
GH_TOKEN: ${{ secrets.GH_ADMIN_TOKEN }}Gotchas
- Setting environment secrets needs a token with admin rights, not the default GITHUB_TOKEN.
- Mask the new value before passing it so the rotation log stays clean.
Related guides
How to Use Environment-Scoped Secrets in GitHub ActionsBind secrets to a single GitHub Actions environment so a job only sees that target credentials when it declar…
How to Choose Repository vs Environment vs Organization Secrets in GitHub ActionsUnderstand the three GitHub Actions secret scopes (organization, repository, environment) and which one wins…