Hardhat "Invalid account: private key too short" in CI
Hardhat parsed the accounts array in a network config and one entry is not a valid 32-byte private key. In CI this almost always means a secret was not injected, so the value is empty or truncated.
What this error means
A command using a network config fails with "HardhatError: HH8: ... Invalid account: #0 for network: sepolia - private key too short, expected 32 bytes".
Invalid account: #0 for network: sepolia - private key too short, expected 32 bytesCommon causes
The private key secret is not set in CI
The config reads process.env.PRIVATE_KEY, which is undefined or empty on the runner, so hardhat sees a zero-length key.
The key is missing its 0x prefix or is truncated
A key stored without the expected format or accidentally clipped does not decode to 32 bytes.
How to fix it
Inject a valid key from a secret
- Store a real 32-byte private key as a CI secret.
- Expose it to the step and reference it in the accounts array.
- Only configure the network for jobs that actually need signing.
env:
PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}Guard the accounts array against empty values
Include the account only when the key is present so local compile and test jobs do not fail on a missing secret.
accounts: process.env.PRIVATE_KEY ? [process.env.PRIVATE_KEY] : [],How to prevent it
- Never commit private keys; inject them via secrets.
- Guard signing networks so unit tests do not require a key.
- Validate key format before configuring a network.