Skip to content
Latchkey

GitHub Actions Environment Secrets Empty - environment: Not Set on Job

A secret defined under a GitHub Environment resolves to empty because the job did not set environment:. Environment secrets and variables are only available to jobs explicitly assigned to that environment.

What this error means

A job reads secrets.<NAME> for a value stored as an environment secret and gets an empty string, while repo-level secrets work fine.

Actions log
Error: required secret DEPLOY_KEY is empty
# DEPLOY_KEY is an environment secret on "production",
# but the job has no environment: production

Common causes

Job missing environment:

Environment-scoped secrets and variables are injected only when the job declares environment:. Without it, those values are not in scope.

Secret stored at the wrong scope

A value saved as an environment secret is not visible as a repo secret, and vice versa. Mismatched scope yields an empty reference.

How to fix it

Assign the job to the environment

Set environment: on the job so its environment secrets and variables load.

.github/workflows/deploy.yml
jobs:
  deploy:
    environment: production
    runs-on: ubuntu-latest
    steps:
      - run: ./deploy.sh
        env:
          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}

Confirm the secret scope

  1. Check whether the secret is defined at repo, environment, or org level.
  2. Move it to the scope the job uses, or set environment: to match.
  3. For variables, the same rule applies via the vars context.

How to prevent it

  • Set environment: on jobs that consume environment secrets.
  • Keep a single documented scope for each secret.
  • Verify the secret scope matches how the job is configured.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →