Skip to content
Latchkey

gh secret set Command Reference

Create or update an encrypted secret from the command line.

gh secret set stores an encrypted secret for Actions, an environment, or Dependabot. It is the scriptable way to provision secrets during repo bootstrap.

What it does

gh secret set encrypts a value with the repo or org public key and stores it as a named secret. The value can come from a flag, stdin (--body -), or a file, so it never has to appear in shell history or logs.

Common flags and usage

  • NAME: the secret name to create or update
  • --body / -b and --body -: value inline or from stdin
  • --env ENVIRONMENT: scope to a deployment environment
  • --org ORG --visibility: set an organization secret
  • --app dependabot|actions|codespaces: target a secret store

Example

shell
# Read from stdin so the value is never in argv or logs
printf '%s' "${NEW_API_KEY}" | gh secret set API_KEY --body -

In CI

Pipe the value via --body - so it never appears in process arguments or logs. Use --env to scope a secret to a single deployment environment. The token running the command needs admin on the target repo or org.

Key takeaways

  • gh secret set encrypts the value client-side with the repo or org public key.
  • Use --body - to read from stdin and keep the value out of argv and logs.
  • --env and --org scope secrets to environments or organizations.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →