Skip to content
Latchkey

How to Rotate Environment Secrets in GitHub Actions

gh secret set --env writes a new value to an environment secret, so rotation needs no workflow edit.

Run gh secret set <NAME> --env <environment> to overwrite the stored value, driven by a scheduled workflow that mints a fresh credential. The deploy workflow keeps reading secrets.<NAME> unchanged.

Steps

  • Mint a new credential in a scheduled rotation workflow.
  • Run gh secret set <NAME> --env <environment> --body "$NEW".
  • Deploy jobs keep referencing ${{ secrets.<NAME> }} with no edit.

Workflow

.github/workflows/ci.yml
on:
  schedule:
    - cron: '0 4 1 * *'   # monthly at 04:00 UTC
jobs:
  rotate:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - run: |
          NEW=$(./mint-credential.sh)
          echo "::add-mask::$NEW"
          gh secret set API_KEY --env production --body "$NEW"
        env:
          GH_TOKEN: ${{ secrets.GH_ADMIN_TOKEN }}

Gotchas

  • Setting environment secrets needs a token with admin rights, not the default GITHUB_TOKEN.
  • Mask the new value before passing it so the rotation log stays clean.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →