Storing secrets

Note: GitHub Actions are currently available as a limited public beta, which means you should avoid using it for high-value workflows and content during this beta period. Creating workflows that use GitHub Actions is limited to private repositories during the limited public beta.

Features and requirements may change at any time during this period. You can request to join the limited public beta on the GitHub Actions page. If you're participating in the beta, please contact support if you have any questions.

You can store encrypted secrets in the visual workflow editor or the repository settings and choose which actions within a workflow file will have access to the decrypted values. Once you create a secret in your repository, it will be available to select when editing an action in the visual workflow editor or using the secrets attribute in your main.workflow file. Secrets set in a repository are accessible by anyone with write access to the repository.

Warning: Do not store production secrets in the API during the limited public beta period. Production workflows should not be used during the limited public beta.

GitHub token secret

Every repository has a secret called GITHUB_TOKEN that can be made available to any action. This secret is a GitHub App installation token that has been scoped to the repository in which the workflow resides and can be used to make GitHub API requests. You can execute up to 1000 requests in an hour across all Actions within a repository.

Token permissions

Permission Level
checks read/write
contents read/write
deployments read/write
issues read/write
metadata read
pages read/write
pull requests read/write
repository hooks read/write
repository projects read/write
statuses read/write

Limitations for secrets

Your workflow can use up to 100 unique secrets, and the names of secret environment variables must be unique per repository.

Size limit

Secrets are limited to 64 KB in size. If you must store larger secrets, see "Storing larger secrets."

Warning: Be careful that your secrets do not get printed when your action runs. Secrets are not obfuscated from the command output and could be visible in logs.

Storing larger secrets

Encrypted secrets can be stored in your repository, and the decryption passphrase can be saved as a secret on GitHub. For example, you can use gpg to encrypt your credentials locally:

  1. Run the following command:

    gpg --symmetric --cipher-algo AES256 xcloud.json
    
  2. You will be prompted to enter a passphrase. Remember this, because you'll need to enter it in to GitHub when configuring your workflow.

  3. Copy the encrypted file into your repository and commit it.

  4. Inside of an action, you can decrypt and use the secrets:

    #!/bin/sh
    
    # Decrypt the file
    mkdir -p /secrets
    gpg -q --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" -o /secrets/xcloud.json xcloud.json.gpg