Skip to content
Latchkey

How to Store and Use an Encrypted Secret in GitHub Actions

Encrypted secrets live in repo or environment settings and reach a step only through the secrets context, never hard-coded in the workflow file.

Create the secret in Settings (or with gh secret set), then reference secrets.NAME and bind it to an env: on just the step that uses it.

Steps

  • Add the secret in Settings to Secrets and variables, or run gh secret set NAME.
  • Map secrets.NAME to an env: on the step that needs it.
  • Pass it to the tool via the env var, not on the command line.

Workflow

.github/workflows/ci.yml
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Publish
        env:
          API_TOKEN: ${{ secrets.API_TOKEN }}
        run: ./deploy.sh   # reads $API_TOKEN from the environment

Gotchas

  • GitHub auto-masks secret values in logs, but only the exact stored string; transformed forms can still leak.
  • Secrets are not passed to workflows triggered by a fork PR.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →