gh secret set Command Reference
Create or update an encrypted secret from the command line.
gh secret set stores an encrypted secret for Actions, an environment, or Dependabot. It is the scriptable way to provision secrets during repo bootstrap.
What it does
gh secret set encrypts a value with the repo or org public key and stores it as a named secret. The value can come from a flag, stdin (--body -), or a file, so it never has to appear in shell history or logs.
Common flags and usage
- NAME: the secret name to create or update
- --body / -b and --body -: value inline or from stdin
- --env ENVIRONMENT: scope to a deployment environment
- --org ORG --visibility: set an organization secret
- --app dependabot|actions|codespaces: target a secret store
Example
shell
# Read from stdin so the value is never in argv or logs
printf '%s' "${NEW_API_KEY}" | gh secret set API_KEY --body -In CI
Pipe the value via --body - so it never appears in process arguments or logs. Use --env to scope a secret to a single deployment environment. The token running the command needs admin on the target repo or org.
Key takeaways
- gh secret set encrypts the value client-side with the repo or org public key.
- Use --body - to read from stdin and keep the value out of argv and logs.
- --env and --org scope secrets to environments or organizations.
Related guides
gh auth login Command ReferenceReference for gh auth login in CI/CD: authenticate the GitHub CLI non-interactively with a token via stdin or…
gh api Command ReferenceReference for gh api in CI/CD: call any REST or GraphQL endpoint with authentication handled, pass fields, pa…
gh repo clone Command ReferenceReference for gh repo clone in CI/CD: clone a repository with gh authentication, pass git clone flags after a…