Note: GitHub Actions is currently available in public beta, which means you should avoid using it for high-value workflows and content during this beta period.
Features and requirements may change at any time during this period. You can request to join the public beta on the GitHub Actions page. If you're participating in the beta, please contact support if you have any questions.
You can add secrets using the visual workflow editor or the repository settings. Once you create a secret, GitHub encrypts the value immediately and you can no longer view or edit the value. Anyone with write access to a repository can create and use secrets in that repository.
Once you create a secret in your repository, any action in that repository can be configured to have access to the secret's decrypted value. You can configure access to secrets for each action in a repository individually from the visual workflow editor or using the
secrets attribute in your
Warning: Do not store production secrets in the API during the limited public beta period. Production workflows should not be used during the limited public beta.
GitHub token secret
GITHUB_TOKEN secret is a GitHub App installation token scoped to the repository containing the workflow. You will need to use a
GITHUB_TOKEN to make authenticated calls to the GitHub API. Every repository includes a
GITHUB_TOKEN secret, but it's not available to an action by default. You must add the
GITHUB_TOKEN secret to each action that requires access.
Limitations for secrets
Your workflow can have up to 100 secrets, and the names of secret environment variables must be unique per repository.
Secrets are limited to 64 KB in size. If you must store larger secrets, see "Storing larger secrets."
Warning: Be careful that your secrets do not get printed when your action runs. Secrets are not obfuscated from the command output and could be visible in logs.
Storing larger secrets
Encrypted secrets can be stored in your repository, and the decryption passphrase can be saved as a secret on GitHub. For example, you can use
gpg to encrypt your credentials locally:
Run the following command:
gpg --symmetric --cipher-algo AES256 xcloud.json
You will be prompted to enter a passphrase. Remember this, because you'll need to enter it in to GitHub when configuring your workflow.
Copy the encrypted file into your repository and commit it.
Inside of an action, you can decrypt and use the secrets:
#!/bin/sh # Decrypt the file mkdir -p /secrets gpg -q --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" -o /secrets/xcloud.json xcloud.json.gpg