Note: GitHub Actions are currently available as a limited public beta, which means you should avoid using it for high-value workflows and content during this beta period. Creating workflows that use GitHub Actions is limited to private repositories during the limited public beta.
Features and requirements may change at any time during this period. You can request to join the limited public beta on the GitHub Actions page. If you're participating in the beta, please contact support if you have any questions.
You can store encrypted secrets in the visual workflow editor or the repository settings and choose which actions within a workflow file will have access to the decrypted values. Once you create a secret in your repository, it will be available to select when editing an action in the visual workflow editor or using the
secrets attribute in your
main.workflow file. Secrets set in a repository are accessible by anyone with write access to the repository.
Warning: Do not store production secrets in the API during the limited public beta period. Production workflows should not be used during the limited public beta.
GitHub token secret
Every repository has a secret called
GITHUB_TOKEN that can be made available to any action. This secret is a GitHub App installation token that has been scoped to the repository in which the workflow resides and can be used to make GitHub API requests. You can execute up to 1000 requests in an hour across all Actions within a repository.
Limitations for secrets
Your workflow can use up to 100 unique secrets, and the names of secret environment variables must be unique per repository.
Secrets are limited to 64 KB in size. If you must store larger secrets, see "Storing larger secrets."
Warning: Be careful that your secrets do not get printed when your action runs. Secrets are not obfuscated from the command output and could be visible in logs.
Storing larger secrets
Encrypted secrets can be stored in your repository, and the decryption passphrase can be saved as a secret on GitHub. For example, you can use
gpg to encrypt your credentials locally:
Run the following command:
gpg --symmetric --cipher-algo AES256 xcloud.json
You will be prompted to enter a passphrase. Remember this, because you'll need to enter it in to GitHub when configuring your workflow.
Copy the encrypted file into your repository and commit it.
Inside of an action, you can decrypt and use the secrets:
#!/bin/sh # Decrypt the file mkdir -p /secrets gpg -q --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" -o /secrets/xcloud.json xcloud.json.gpg