Swiftorial Logo
Home
Swift Lessons
Matchups
CodeSnaps
Tutorials
Career
Resources

Using Secrets in GitHub Actions

Introduction

GitHub Actions is a powerful automation tool that allows you to build, test, and deploy your code right from your GitHub repository. When working with sensitive data such as API keys, passwords, or any private information, it is critical to manage this data securely. This lesson focuses on using Secrets in GitHub Actions to keep sensitive data secure during your CI/CD processes.

What are Secrets?

Secrets are encrypted environment variables that you create in your GitHub repository. They are utilized in GitHub Actions workflows to allow sensitive information to be securely passed to your scripts and commands without exposing the actual values in your code.

Key characteristics of secrets:

  • Secrets are encrypted at rest and in transit.
  • They can be used in workflows but not in logs.
  • Each secret is scoped to the repository in which it is created.

Creating Secrets

To create a secret in your GitHub repository:

  1. Navigate to your GitHub repository.
  2. Click on the "Settings" tab.
  3. In the left sidebar, click on "Secrets and variables".
  4. Select "Actions".
  5. Click on the "New repository secret" button.
  6. Enter a name for your secret (e.g., MY_SECRET_KEY) and its value.
  7. Click "Add secret" to save it.

Using Secrets in Workflows

Once you have created your secrets, you can access them in your workflow file. Here's how to use secrets in a GitHub Actions workflow:

yaml
name: CI

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      
      - name: Deploy to Server
        env:
          MY_SECRET_KEY: ${{ secrets.MY_SECRET_KEY }}
        run: |
          echo "Deploying with secret key..."
          # Here you can use the secret in your deployment command
          # For example: deploy_command --key $MY_SECRET_KEY

Best Practices

When using secrets in GitHub Actions, consider the following best practices:

  • Limit secrets to the minimum necessary permissions.
  • Rotate secrets regularly to mitigate potential leaks.
  • Do not hard-code secrets in your workflow files.
  • Use repository secrets for repository-specific data and organization secrets for shared data across multiple repositories.
Important: Always ensure that sensitive data is not printed in logs. GitHub automatically redacts secrets in logs, but be cautious with echo statements and other output commands.

FAQ

Can I use secrets in pull request workflows?

Yes, but be cautious. Secrets are not accessible in workflows triggered by pull requests from forks for security reasons.

How can I update a secret?

To update a secret, go to the "Secrets and variables" section, click on the secret name, edit the value, and click "Update secret".

Are secrets shared across repositories?

No, secrets are scoped to the repository in which they are created. For organization-level secrets, you can set up secrets that are accessible across multiple repositories.