Skip to content
Latchkey

How to Use Secrets in GitHub Actions Safely

Secrets are easy to use and easy to misuse. Here is the safe pattern and the gotchas.

GitHub encrypts secrets and masks them in logs, but scope and fork behavior trip people up.

Scopes

  • Repository secrets - available to all workflows in the repo.
  • Environment secrets - scoped to a deployment environment with optional protection rules.
  • Organization secrets - shared across repos with access control.

Using a secret

.github/workflows/deploy.yml
steps:
  - run: ./deploy.sh
    env:
      API_TOKEN: ${{ secrets.API_TOKEN }}

Gotchas

  • Secrets are not passed to workflows triggered by forked PRs (by design).
  • Do not echo secrets - they are masked, but structured output can still leak them.
  • Use OIDC instead of static cloud keys where possible.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →