How to Use Secrets in GitHub Actions Safely
Secrets are easy to use and easy to misuse. Here is the safe pattern and the gotchas.
GitHub encrypts secrets and masks them in logs, but scope and fork behavior trip people up.
Scopes
- Repository secrets - available to all workflows in the repo.
- Environment secrets - scoped to a deployment environment with optional protection rules.
- Organization secrets - shared across repos with access control.
Using a secret
.github/workflows/deploy.yml
steps:
- run: ./deploy.sh
env:
API_TOKEN: ${{ secrets.API_TOKEN }}Gotchas
- Secrets are not passed to workflows triggered by forked PRs (by design).
- Do not
echosecrets - they are masked, but structured output can still leak them. - Use OIDC instead of static cloud keys where possible.
Related guides
GitHub Actions secret not available to fork pull_requestFix the GitHub Actions issue where secrets are empty for workflows triggered by pull_request from a fork, by…
How to Use OIDC to Authenticate GitHub Actions to AWSAuthenticate GitHub Actions to AWS with OIDC - no long-lived secrets. Set up the IAM role, trust policy, and…