GitHub Actions Environment Secrets Empty - environment: Not Set on Job
A secret defined under a GitHub Environment resolves to empty because the job did not set environment:. Environment secrets and variables are only available to jobs explicitly assigned to that environment.
What this error means
A job reads secrets.<NAME> for a value stored as an environment secret and gets an empty string, while repo-level secrets work fine.
Error: required secret DEPLOY_KEY is empty
# DEPLOY_KEY is an environment secret on "production",
# but the job has no environment: productionCommon causes
Job missing environment:
Environment-scoped secrets and variables are injected only when the job declares environment:. Without it, those values are not in scope.
Secret stored at the wrong scope
A value saved as an environment secret is not visible as a repo secret, and vice versa. Mismatched scope yields an empty reference.
How to fix it
Assign the job to the environment
Set environment: on the job so its environment secrets and variables load.
jobs:
deploy:
environment: production
runs-on: ubuntu-latest
steps:
- run: ./deploy.sh
env:
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}Confirm the secret scope
- Check whether the secret is defined at repo, environment, or org level.
- Move it to the scope the job uses, or set environment: to match.
- For variables, the same rule applies via the vars context.
How to prevent it
- Set environment: on jobs that consume environment secrets.
- Keep a single documented scope for each secret.
- Verify the secret scope matches how the job is configured.