Skip to content
Latchkey

gh variable set: Usage, Options & Common CI Errors

Set non-secret Actions configuration variables - repo, environment, or org.

gh variable set creates or updates a GitHub Actions configuration variable (vars context). Unlike secrets, variable values are not encrypted and are visible in logs, so use them only for non-sensitive config.

What it does

gh variable set <name> stores a plaintext Actions variable readable in workflows via the vars context (vars.NAME). It scopes to a repo (default), an environment (--env), or an org (--org with --visibility), and reads the value from --body, stdin, or an env file.

Common usage

Terminal
# Set a repo variable
gh variable set REGION --body "us-east-1"

# From stdin
echo "us-east-1" | gh variable set REGION

# Environment and org scopes
gh variable set TIER --env production --body "premium"
gh variable set REGISTRY --org my-org --visibility all --body "ghcr.io"

Common error in CI: variable used for a secret / 403

A frequent mistake is storing a token as a variable - it then appears in plaintext in logs and the API. gh variable set can also 403 without admin access. Fix: put sensitive values in secrets (gh secret set), not variables; variables are for non-secret config only. For permissions, use a PAT/App token with repo or org admin - the default GITHUB_TOKEN cannot manage variables. Org variables require --visibility.

Key options

OptionPurpose
<name>Variable name to set
-b, --bodyVariable value (else read from stdin)
-e, --envTarget a deployment environment
-o, --orgTarget an organization
-v, --visibilityOrg variable visibility (with --org)

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →