How to Store and Use an Encrypted Secret in GitHub Actions
Encrypted secrets live in repo or environment settings and reach a step only through the secrets context, never hard-coded in the workflow file.
Create the secret in Settings (or with gh secret set), then reference secrets.NAME and bind it to an env: on just the step that uses it.
Steps
- Add the secret in Settings to Secrets and variables, or run
gh secret set NAME. - Map
secrets.NAMEto anenv:on the step that needs it. - Pass it to the tool via the env var, not on the command line.
Workflow
.github/workflows/ci.yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Publish
env:
API_TOKEN: ${{ secrets.API_TOKEN }}
run: ./deploy.sh # reads $API_TOKEN from the environmentGotchas
- GitHub auto-masks secret values in logs, but only the exact stored string; transformed forms can still leak.
- Secrets are not passed to workflows triggered by a fork PR.
Related guides
How to Mask a Runtime Token in Workflow Logs in GitHub ActionsHide a value computed at runtime from GitHub Actions logs with the add-mask workflow command, so a minted tok…
How to Read Secrets From AWS Secrets Manager in a Workflow in GitHub ActionsPull runtime secrets from AWS Secrets Manager in GitHub Actions with OIDC and the official action, exporting…