In doing this your secrets aren't going to be committed to Github, which is obviously good. The solution itself is not the best in terms of future proofing and scaling because you'll have to keep sharing that across any new host that needs the secret (new developers and so on). Using a secrets manager can help with this, although maybe it's not in scope for you at the moment. Using the secret in your application as an environment variable is a pretty standard method, so no real issues there. Answer from turkeh on reddit.com
GitHub
docs.github.com › actions › security-guides › using-secrets-in-github-actions
Using secrets in GitHub Actions - GitHub Docs
To create secrets or variables for an environment in a personal account repository, you must be the repository owner. To create secrets or variables for an environment in an organization repository, you must have admin access.
GitHub
docs.github.com › actions › deployment › targeting-different-environments › using-environments-for-deployment
Managing environments for deployment - GitHub Docs
Environments, environment secrets, and deployment protection rules are available in public repositories for all current GitHub plans. They are not available on legacy plans, such as Bronze, Silver, or Gold. For access to environments, environment secrets, and deployment branches in private or internal repositories, you must use GitHub Pro, GitHub Team, or GitHub Enterprise.
Videos
25:53
How to Use GitHub Actions Environment Variables and Secrets - YouTube
Secrets and Environment Variables in your GitHub Action
09:00
GitHub Actions - Environment Variables & Secrets - YouTube
08:32
Secrets & Environment Variables in GitHub Actions | Secure DevOps ...
07:05
GitHub Actions SECRETS • #secrets #devops #githubactions - YouTube
05:53
GitHub Actions - Variables & Secrets - YouTube
Reddit
reddit.com › r/devops › github secrets: is it safe to store an environment secret to a file from within a github action?
r/devops on Reddit: GitHub Secrets: Is it safe to store an environment secret to a file from within a GitHub Action?
April 11, 2023 -
In other words, is it safe to have something like this in a .yml file:
# Add API key
- name: Add API key secret to file
env:
API_KEY_SECRET: ${{ secrets.API_KEY_SECRET }}
run: echo "$API_KEY_SECRET" > ~/work/MyProject/MyProject/secrets/api_key.txtTo clarify, the secret is not pushed to the repository, initially it only exists as an environment secret. I'm not sure if the .txt file created above ends up somewhere unsecure. The reason I ask is because if this is secure, then I can have a convenient location for programs to access secrets stored in files both on my machine (either .gitignore or outside the local repo) and when running on the server, without storing secrets in the repository.
Top answer 1 of 11
13
In doing this your secrets aren't going to be committed to Github, which is obviously good. The solution itself is not the best in terms of future proofing and scaling because you'll have to keep sharing that across any new host that needs the secret (new developers and so on). Using a secrets manager can help with this, although maybe it's not in scope for you at the moment. Using the secret in your application as an environment variable is a pretty standard method, so no real issues there.
2 of 11
6
It's probably fine but seems a bit pointless. You should just be setting an environment variable from the github secret unless you have to access the API via file-based credentials. Environment variables are a good convention for local usage too outside your cicd (I would then save the key in a password manager, for instance). If you want to enable file-based credentials as well locally then you'd typically do a checkout action and look for ".env" or some other file in the project directory. Your long path to a credential file (~work/blah) doesn't make a lot of sense given this convention as that won't match the user's machine.
GitHub
github.com › actions › starter-workflows › issues › 785
How to use environment secret on github action? · Issue #785 · actions/starter-workflows
January 20, 2021 - Hi, Im breaking my head understand how the environment secret works and how i can get this value from python. I follow the docs and make two vars: And i tried with: - name: Ezored - Dist upload env: EZORED_AWS_KEY_ID: ${{ secrets.EZORED_...
Author paulocoutinhox
Configu
configu.com › home › github secrets: the basics and 4 critical best practices
GitHub Secrets: The Basics and 4 Critical Best Practices - Configu
January 17, 2025 - GitHub secrets are encrypted environment variables, managed within GitHub Actions. They allow you to store sensitive data, like access tokens and credentials, in a secure manner. Secrets can be stored at the level of a specific GitHub repository, ...
Top answer 1 of 2
72
I eventually figured it out. My mistake was that I defined my secrets within an environment and, by default, workflows do not run in any specific environment. For this to happen, I have to explicitly name the environment in the job description as follows:
jobs:
publish:
environment: CI # <--- /!\ Here is the link to the environment
needs: build
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: actions/checkout@v2
# Some more steps here ...
- name: Publish to Test PyPI
env:
TWINE_USERNAME: "__token__"
TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}
TWINE_REPOSITORY_URL: "https://test.pypi.org/legacy/"
run: |
echo KEY: '${TWINE_PASSWORD}'
twine check dist/*
twine upload --verbose --skip-existing dist/*
The documentation mentions it actually.
Thanks to those who commented for pointing me in the right direction.
2 of 2
11
This is the problem I struggled with, since I am working with multiple environments and they all share same named secrets with different values the following solution worked for me. Isolated pieces are described here and there, but it wasn't obvious how to piece it together.
At first I define that environment is selected during workflow_dispatch event:
on:
workflow_dispatch:
inputs:
environment:
type: choice
description: Select the environment
required: true
options:
- TEST
- UAT
I then reference it in jobs context:
jobs:
run-portal-tests:
runs-on: ubuntu-latest
environment: ${{ github.event.inputs.environment }}
Finally to be used in the step I need them in:
- name: Run tests
env:
ENDPOINT: ${{ secrets.ENDPOINT }}
TEST_USER: ${{ secrets.TEST_USER }}
TEST_USER_PASSWORD: ${{ secrets.TEST_USER_PASSWORD }}
CLIENT_ID: ${{ secrets.CLIENT_ID }}
CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }}
run: python3 main.py
Earthly
earthly.dev › blog › github-actions-environment-variables-and-secrets
Working with GitHub Actions Environment Variables and Secrets - Earthly Blog
July 11, 2023 - They’re usually managed by dedicated tools known as secrets managers to help create and view secrets while maintaining encryption. GitHub offers a built-in secrets manager tool in the form of Actions variables.
Pulumi
pulumi.com › home › what is a github actions secret?
What is a GitHub Actions Secret? | Pulumi
Scroll to the “Environment secrets” section. Click on the “Add secret” button. Provide a name for the secret and its corresponding value. e.g., Name: DEMO_GITHUB_TOKEN Value: github_pat_123123123
Medium
medium.com › @morepravin1989 › github-actions-mastering-env-and-secrets-with-a-simple-example-f8e57ddac02a
GitHub Actions: Mastering env and secrets with a Simple Example | by Pravin More | Medium
September 8, 2025 - GitHub’s secrets feature ensures that sensitive data is never exposed in your codebase or logs (GitHub even masks them automatically). Let’s create a real example that prints an environment variable and simulates the use of a secure API key.
GitHub
gist.github.com › brianjbayer › 53ef17e0a15f7d80468d3f3077992ef8
A How-To Guide for using Environment Variables and GitHub Secrets in GitHub Actions for Secrets Management in Continuous Integration · GitHub
GitHub Secrets are GitHub's secret management solution for it's GitHub Actions CI/CD system. GitHub Secrets uses a libsodium sealed box approach so that secrets are encrypted before reaching GitHub.
GitHub
docs.github.com › en › code-security › reference › secret-security › understanding-github-secret-types
Understanding GitHub secret types - GitHub Docs
Repository secret: all workflows in the repository can access the secret. Environment secret: secret is limited to jobs referencing that particular environment.
ASUS
koskila.net › how-to-access-environment-secrets-with-github-actions
How to access Environment Secrets with GitHub Actions? - Koskila.net
This article aims to clear the confusion around the GitHub Repository Secrets and explain how to successfully use them in your pipelines for fun and profit! Well, mostly for additional security and pipeline parameterization, really... But still - it's a good piece of functionality to wrap your head around and implement in your daily work. ... When wanting to use Environment-specific secrets with GitHub Actions, the right sequence of steps is - in theory - quite clear.
MakerX
blog.makerx.com.au › leveraging-github-actions-environment-secrets-and-variables
Leveraging GitHub Actions Environment Secrets and Variables in Your Deployment Workflows
April 19, 2023 - Splitting YAML files into workflow callers and using environments can become complicated when accessing secrets and variables. Passing secrets as inputs to workflow callers is the only way to use GitHub Action Environment secrets and variables in this scenario.
DEV Community
dev.to › pwd9000 › best-practices-for-using-github-secrets-part-1-596f
Best Practices for Using GitHub Secrets - Part 1 - DEV Community
July 18, 2024 - Environment Secrets: If you have github environments configured, you can also create secrets that are stored at the environment level, this allows you to enable required reviewers to control access to the secrets.
Medium
medium.com › @morepravin1989 › github-actions-secrets-and-variables-understanding-repository-and-environment-secrets-for-2b2eed404222
GitHub Actions Secrets and Variables: Understanding Repository and Environment Secrets (For Beginners) | by Pravin More | Medium
September 8, 2025 - Note: GitHub masks the secret values in logs so they aren’t visible, even if printed. Environment secrets are tied to a specific environment (like production, staging, or development).
KodeKloud Notes
notes.kodekloud.com › docs › GitHub-Actions › GitHub-Actions-Core-Concepts › Working-with-Repository-Level-Secrets › page
Working with Repository Level Secrets - KodeKloud
Storing sensitive data—like API ... access. GitHub’s repository-level secrets provide a secure way to inject credentials into your CI/CD pipelines without risking leaks....
Leonardo Montini
leonardomontini.dev › home › blog › github actions: secrets and environment variables in your pipeline
GitHub Actions: Secrets and Environment Variables in your pipeline | Leonardo Montini
July 3, 2023 - You can set up an environment inside a repository and define variables and secrets there.
DEV Community
dev.to › github › environment-scoped-secrets-for-github-action-workflows-337a
Environment Scoped Secrets for GitHub Action Workflows - DEV Community
Secrets are encrypted environment variables that you create in an organization, repository, or environment. These secrets are also available to use in GitHub Actions workflows.
Published March 1, 2021
GitHub
docs.github.com › en › codespaces › managing-your-codespaces › managing-your-account-specific-secrets-for-github-codespaces
Managing your account-specific secrets for GitHub Codespaces - GitHub Docs
Under "Codespaces secrets," to the right of the secret you want to delete, click Delete. Read the warning, then click OK. A development environment secret is exported as an environment variable into the user's terminal session.