Storing secrets

Note: GitHub Actions is currently available in public beta, which means you should avoid using it for high-value workflows and content during this beta period.

Features and requirements may change at any time during this period. You can request to join the public beta on the GitHub Actions page. If you're participating in the beta, please contact support if you have any questions.

You can add secrets using the visual workflow editor or the repository settings. Once you create a secret, GitHub encrypts the value immediately and you can no longer view or edit the value. Anyone with write access to a repository can create and use secrets in that repository.

Once you create a secret in your repository, any action in that repository can be configured to have access to the secret's decrypted value. You can configure access to secrets for each action in a repository individually from the visual workflow editor or using the secrets attribute in your main.workflow file.

Warning: Do not store production secrets in the API during the limited public beta period. Production workflows should not be used during the limited public beta.

GitHub token secret

The GITHUB_TOKEN secret is a GitHub App installation token scoped to the repository containing the workflow. You will need to use a GITHUB_TOKEN to make authenticated calls to the GitHub API. Every repository includes a GITHUB_TOKEN secret, but it's not available to an action by default. You must add the GITHUB_TOKEN secret to each action that requires access.

Token permissions

Permission Level
checks read/write
contents read/write
deployments read/write
issues read/write
metadata read
pages read/write
pull requests read/write
repository hooks read/write
repository projects read/write
statuses read/write

Limitations for secrets

Your workflow can have up to 100 secrets, and the names of secret environment variables must be unique per repository.

Size limit

Secrets are limited to 64 KB in size. If you must store larger secrets, see "Storing larger secrets."

Warning: Be careful that your secrets do not get printed when your action runs. Secrets are not obfuscated from the command output and could be visible in logs.

Storing larger secrets

Encrypted secrets can be stored in your repository, and the decryption passphrase can be saved as a secret on GitHub. For example, you can use gpg to encrypt your credentials locally:

  1. Run the following command:

    gpg --symmetric --cipher-algo AES256 xcloud.json
  2. You will be prompted to enter a passphrase. Remember this, because you'll need to enter it in to GitHub when configuring your workflow.

  3. Copy the encrypted file into your repository and commit it.

  4. Inside of an action, you can decrypt and use the secrets:

    # Decrypt the file
    mkdir -p /secrets
    gpg -q --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" -o /secrets/xcloud.json xcloud.json.gpg