GitHub Actions Secrets Management

Secure API keys in your CI/CD pipelines

GitHub Actions provides robust secrets management for CI/CD workflows. This guide covers best practices for storing and using API keys securely in your pipelines.

Types of Secrets

  • Repository secrets - Available to all workflows in a repository
  • Environment secrets - Bound to specific deployment environments
  • Organization secrets - Shared across multiple repositories
  • Dependabot secrets - For dependency update workflows

Using Secrets in Workflows

Access secrets using the secrets context in your YAML files. They are automatically masked in log output.

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: production
    steps:
      - name: Deploy
        env:
          API_KEY: ${{ secrets.API_KEY }}
          DB_URL: ${{ secrets.DATABASE_URL }}
        run: ./deploy.sh

Secret Scanning

Enable GitHub's secret scanning to automatically detect exposed API keys. Configure push protection to prevent committing secrets to main branches.

Best Practices

  • Use environment-specific secrets for different pipelines
  • Rotate secrets regularly
  • Limit secret access with GitHub apps instead of PATs
  • Audit secret usage through GitHub Audit Log
  • Use OpenID Connect for cloud provider authentication