Secrets

Encrypted secrets allow you to store sensitive information, such as access tokens, in your repository. For more information, see "Creating and using encrypted secrets" in the GitHub Help documentation.

This API is available for authenticated users, OAuth Apps, and GitHub Apps. Access tokens require repo scope for private repos and public_repo scope for public repos. GitHub Apps must have the secrets permission to use this API. Authenticated users must have collaborator access to a repository to create, update, or read secrets.

GitHub Actions is available with GitHub Free, GitHub Pro, GitHub Team, GitHub Enterprise Cloud, and GitHub One. GitHub Actions is not available for repositories owned by accounts using legacy per-repository plans. For more information, see GitHub's products in the GitHub Help documentation.

Get your public key

Gets your public key, which you must store. You need your public key to use other secrets endpoints. Use the returned key to encrypt your secrets. Anyone with read access to the repository can use this endpoint. GitHub Apps must have the secrets permission to use this endpoint.

GET /repos/:owner/:repo/actions/secrets/public-key

Response

Status: 200 OK
{
  "key_id": "1234",
  "key": "2Sg8iYjAxxmI2LvUXpJjkYrMxURPc8r+dB7TJyvv1234"
}

List secrets for a repository

Lists all secrets available in a repository without revealing their encrypted values. Anyone with write access to the repository can use this endpoint. GitHub Apps must have the secrets permission to use this endpoint.

GET /repos/:owner/:repo/actions/secrets

Response

Status: 200 OK
Link: <https://api.github.com/resource?page=2>; rel="next",
      <https://api.github.com/resource?page=5>; rel="last"
{
  "total_count": 2,
  "secrets": [
    {
      "name": "GH_TOKEN",
      "created_at": "2019-08-10T14:59:22Z",
      "updated_at": "2020-01-10T14:59:22Z"
    },
    {
      "name": "GIST_ID",
      "created_at": "2020-01-10T10:59:22Z",
      "updated_at": "2020-01-11T11:59:22Z"
    }
  ]
}

Get a secret

Gets a single secret without revealing its encrypted value. Anyone with write access to the repository can use this endpoint. GitHub Apps must have the secrets permission to use this endpoint.

GET /repos/:owner/:repo/actions/secrets/:name

Response

Status: 200 OK
{
  "name": "GH_TOKEN",
  "created_at": "2019-08-10T14:59:22Z",
  "updated_at": "2020-01-10T14:59:22Z"
}

Create or update a secret for a repository

Creates or updates a secret with an encrypted value. Encrypt your secret using LibSodium. Anyone with write access to the repository can use this endpoint. GitHub Apps must have the secrets permission to use this endpoint.

PUT /repos/:owner/:repo/actions/secrets/:name

Parameters

Name Type Description
encrypted_value string Value for your secret, encrypted with LibSodium using the public key retrieved from the Get your public key endpoint.
key_id string ID of the key you used to encrypt the secret.

Example encrypting a secret using Node.js

Encrypt your secret using the tweetsodium library.

const sodium = require('tweetsodium');

const key = "base64-encoded-public-key";
const value = "plain-text-secret";

// Convert the message and key to Uint8Array's (Buffer implements that interface)
const messageBytes = Buffer.from(value);
const keyBytes = Buffer.from(key, 'base64');

// Encrypt using LibSodium.
const encryptedBytes = sodium.seal(messageBytes, keyBytes);

// Base64 the encrypted secret
const encrypted = Buffer.from(encryptedBytes).toString('base64');

console.log(encrypted);

Example encrypting a secret using Python

Encrypt your secret using pynacl with Python 3.

from base64 import b64encode
from nacl import encoding, public

def encrypt(public_key: str, secret_value: str) -> str:
    """Encrypt a Unicode string using the public key."""
    public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder())
    sealed_box = public.SealedBox(public_key)
    encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
    return b64encode(encrypted).decode("utf-8")

Example encrypting a secret using C#

Encrypt your secret using the Sodium.Core package.

var secretValue = System.Text.Encoding.UTF8.GetBytes("mySecret");
var publicKey = Convert.FromBase64String("2Sg8iYjAxxmI2LvUXpJjkYrMxURPc8r+dB7TJyvvcCU=");

var sealedPublicKeyBox = Sodium.SealedPublicKeyBox.Create(secretValue, publicKey);

Console.WriteLine(Convert.ToBase64String(sealedPublicKeyBox));

Example encrypting a secret using Ruby

Encrypt your secret using the rbnacl gem.

require "rbnacl"
require "base64"

key = Base64.decode64("+ZYvJDZMHUfBkJdyq5Zm9SKqeuBQ4sj+6sfjlH4CgG0=")
public_key = RbNaCl::PublicKey.new(key)

box = RbNaCl::Boxes::Sealed.from_public_key(public_key)
encrypted_secret = box.encrypt("my_secret")

# Print the base64 encoded secret
puts Base64.strict_encode64(encrypted_secret)

Response when creating a secret

Status: 201 Created

Response when updating a secret

Status: 204 No Content

Delete a secret from a repository

Deletes a secret in a repository using the secret name. Anyone with write access to the repository can use this endpoint. GitHub Apps must have the secrets permission to use this endpoint.

DELETE /repos/:owner/:repo/actions/secrets/:name

Response

Status: 204 No Content