gh variable set: Usage, Options & Common CI Errors
Set non-secret Actions configuration variables - repo, environment, or org.
gh variable set creates or updates a GitHub Actions configuration variable (vars context). Unlike secrets, variable values are not encrypted and are visible in logs, so use them only for non-sensitive config.
What it does
gh variable set <name> stores a plaintext Actions variable readable in workflows via the vars context (vars.NAME). It scopes to a repo (default), an environment (--env), or an org (--org with --visibility), and reads the value from --body, stdin, or an env file.
Common usage
# Set a repo variable
gh variable set REGION --body "us-east-1"
# From stdin
echo "us-east-1" | gh variable set REGION
# Environment and org scopes
gh variable set TIER --env production --body "premium"
gh variable set REGISTRY --org my-org --visibility all --body "ghcr.io"Common error in CI: variable used for a secret / 403
A frequent mistake is storing a token as a variable - it then appears in plaintext in logs and the API. gh variable set can also 403 without admin access. Fix: put sensitive values in secrets (gh secret set), not variables; variables are for non-secret config only. For permissions, use a PAT/App token with repo or org admin - the default GITHUB_TOKEN cannot manage variables. Org variables require --visibility.
Key options
| Option | Purpose |
|---|---|
| <name> | Variable name to set |
| -b, --body | Variable value (else read from stdin) |
| -e, --env | Target a deployment environment |
| -o, --org | Target an organization |
| -v, --visibility | Org variable visibility (with --org) |