You can pass-in Secrets as ENV variables.
Example:
...
steps:
- name: Git checkout
uses: actions/checkout@v2
- name: Use Node 12.x
uses: actions/setup-node@v1
with:
node-version: 12.x
- name: Install Dependencies (prod)
run: yarn install --frozen-lockfile --production
- name: Run Tests (JEST)
run: yarn test --ci --silent --testPathIgnorePatterns=experimental
env:
CI: true
API_KEY: ${{ secrets.API_KEY }}
In Node.js you can access it via process.env.API_KEY.
DEV Community
dev.to › pwd9000 › best-practices-for-using-github-secrets-part-1-596f
Best Practices for Using GitHub Secrets - Part 1 - DEV Community
July 18, 2024 - Navigate to Your Repository: 1.1. Go to your GitHub repository. 1.2. Click on Settings. Access Secrets: 2.1. In the left sidebar, click on Secrets and variables under the Security section. 2.2. Notice that you have options for Actions, Codespaces and Dependabot.
Top answer 1 of 3
41
You can pass-in Secrets as ENV variables.
Example:
...
steps:
- name: Git checkout
uses: actions/checkout@v2
- name: Use Node 12.x
uses: actions/setup-node@v1
with:
node-version: 12.x
- name: Install Dependencies (prod)
run: yarn install --frozen-lockfile --production
- name: Run Tests (JEST)
run: yarn test --ci --silent --testPathIgnorePatterns=experimental
env:
CI: true
API_KEY: ${{ secrets.API_KEY }}
In Node.js you can access it via process.env.API_KEY.
2 of 3
2
I Find a way to achieve it although it might not be the best (And I'm definitly not bash expert)
So create a setEnv.sh file
mkdir env
echo "export const environment = { firebase_api_key : '$1' }" > env/env.ts
That take as your API key as first parameter, create a env folder and save TS code with your api key.
Then add this line
- run: sh setEnvironment.sh ${{ secrets.FIREBASE_API_KEY }}
Into your github action script, which will execute your script and set the Secret Key.
You'll now just have to use environment.firebase_api_key in your code.
Note: Your build needs to encrypt your key otherwise it will be exposed. But this can be usefull for example if you use API keys on your website and you also want your website code to be available in public on Github, without those plain keys.
How do I get my local code to use a github secret after I make/run the action for it?
You don’t use an actions secret locally, it’s used by the actions machine. It looks like you want to set an environment variable so you’ll need to use some other local option to store the secret such as a .env file (that you don’t commit, be sure to add it to your .gitignore)or by adding it to your environment variables directly in the shell. More on reddit.com
3
1
February 9, 2023Using GitHub Secrets without using GitHub Actions
I was wondering if it’s at all possible to use GitHub secrets in python code located in the repository without initializing the secrets in the env section of the GitHub Actions yaml file. I have no... More on github.com
6
2
Is storing credentials in Github Secrets considered safe?
I'm guessing this would mean your RDS is on a public subnet / open to the internet which is not a good idea in general. But besides that I would suggest in this case to use: Authenticate with OIDC github -> AWS for temporary shortlived credentails. Use RDS IAM authentication for the migration, that way you also there get shortlived temporary credentials for the database. (not saying you should use RDS IAM auth for your app, but for the migration in the scenario you paint is ok). It's not per say that github secrets in considered insecure. But using static AKSK and password when not needed is less secure. More on reddit.com
19
30
April 5, 2025It is safe to use secret in Action in a public repo?
Secrets are reasonably safe as long as you're not outputting values anywhere (logs or otherwise) and are using GitHub hosted runners (which are ephemeral). The bigger risk IMO would be someone opening a PR with a modified workflow that exports your secrets. Take care that your workflows don't trigger on pull_request_target and that you don't allow actions to run by default on PRs from first time contributors. Review all pull requests for changes to workflow files. Maybe even setup CODEOWNERS for workflow files as an extra approval step. Also, deployment environments can help to section off secrets too. You can make jobs on a certain environment require approval before the workflow can run - allowing you to proactively review before the job is permitted to execute and therefore read the environment secrets. Going beyond, lookup the "hardening for actions" GitHub official document for more info on secrets and best practices. Also, check google "preventing pwn requests on GitHub" from GitHub's security lab team. More on reddit.com
12
2
February 7, 2024Videos
07:05
GitHub Actions SECRETS • #secrets #devops #githubactions - YouTube
25:53
How to Use GitHub Actions Environment Variables and Secrets - YouTube
15:01
Managing GitHub Secrets Demo: Best Practices and Tips - YouTube
09:26
Github Secrets - How to use and hide api key | token | credentials ...
09:49
GitHub Actions - Masking Variables and Secrets - YouTube
01:25
Overview of GitHub Secret Scanning - YouTube
TheServerSide
theserverside.com › blog › Coffee-Talk-Java-News-Stories-and-Opinions › GitHub-Actions-Secrets-Example-Token-Tutorial
How to use GitHub Actions secrets to hide your tokens and passwords example
Reference the GitHub secret in code by prepending the text secret.
GitHub
docs.github.com › actions › security-guides › using-secrets-in-github-actions
Using secrets in GitHub Actions - GitHub Docs
To have a copy of your repository in the environment that your workflow runs in, you'll need to use the actions/checkout action. Reference your shell script using the run command relative to the root of your repository. name: Workflows with large secrets on: push jobs: my-job: name: My Job runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 - name: Decrypt large secret run: ./decrypt_secret.sh env: LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }} # This command is just an example to show your secret being printed # Ensure you remove any print statements of your secrets.
GitHub
docs.github.com › en › codespaces › managing-your-codespaces › managing-your-account-specific-secrets-for-github-codespaces
Managing your account-specific secrets for GitHub Codespaces - GitHub Docs
Once you have created a secret, it will be available when you create a new codespace or restart the codespace. If you've created a secret on GitHub and you want to use it in a currently running codespace, stop the codespace and then restart it.
GitHub
docs.github.com › en › codespaces › managing-codespaces-for-your-organization › managing-development-environment-secrets-for-your-repository-or-organization
Managing development environment secrets for your repository or organization - GitHub Docs
Once you have created a secret, it will be available when you create a new codespace or restart the codespace. If you've created a secret on GitHub and you want to use it in a currently running codespace, stop the codespace and then restart it.
GitHub
docs.github.com › en › get-started › learning-to-code › storing-your-secrets-safely
Storing your secrets safely - GitHub Docs
Now we can update the YAML workflow file to use the token and test it works. Navigate back to your repository. If you're in your repository's settings, you can click Code under the repository name.
OnboardBase
onboardbase.com › blog › github-secrets
Github Secrets: A Complete Guide
November 10, 2022 - Github keeps secrets encrypted, and collaborators who will use them won’t even need to know their value to do so. If you don’t already have a Github repository, create a new one to host your Github Actions workflow: ... In Github, create a new private Github repository and go back to the command line with the URL of your new repository:
KodeKloud Notes
notes.kodekloud.com › docs › AZ-400-Designing-and-Implementing-Microsoft-DevOps-Solutions › Design-and-Implement-a-Strategy-for-Managing-Sensitive-Information-in-Automation › Exploring-GitHub-Secrets › page
Exploring GitHub Secrets - KodeKloud
Add secrets to your workflow YAML to inject them at runtime. Create a file like .github/workflows/hello.yml:
Reddit
reddit.com › r/github › how do i get my local code to use a github secret after i make/run the action for it?
r/github on Reddit: How do I get my local code to use a github secret after I make/run the action for it?
February 9, 2023 -
Here's the YAML in my .github/workflows folder. I can see in the output that the key gets masked as "***" as expected. Now how do I actually reference it in my code and actually start... using it locally? My understanding is when using github secrets, the plaintext of the key is never referenced directly, just the environment variable that github uses. I'm just learning about this but it's not like any secret management tool I've ever used before.
name: secrets
on: push
jobs:
secrets-action:
runs-on: windows-latest
steps:
- shell: pwsh
env:
ENV_KEY_DEV: ${{ secrets.ENV_KEY_DEV }}
run: envGit-secret
git-secret.io
Redirecting...
We cannot provide a description for this page right now
How-To Geek
howtogeek.com › home › cloud › what are github secrets, and how do you use them?
What Are GitHub Secrets, and How Do You Use Them?
July 2, 2023 - To set a repository-wide secret, you'll need to head to the settings panel for the repository, and click Secrets > Actions. You can also set secrets for GitHub Codespaces, and Dependabot, if you use those.
Kinsta®
kinsta.com › home › resource center › blog › web development tools › how to use github actions secrets to hide sensitive data
How To Use GitHub Actions Secrets To Hide Sensitive Data?
1 month ago - If you put the secret verySecretToken before the Add Mask step, it will still appear unmasked. So, to ensure the value is masked, it’s essential to use ::add-mask:: as soon as possible. Once you commit and publish your modifications to your GitHub repository, the string verySecretToken will be replaced by asterisks (*) wherever it appears in your logs:
GitHub
docs.github.com › en › actions › concepts › security › secrets
Secrets - GitHub Docs
A workflow job cannot access environment secrets until approval is granted by required approvers. To make a secret available to an action, you must set the secret as an input or environment variable in your workflow file.
NashTech Blog
blog.nashtechglobal.com › home › playing with github secret api
Playing with GitHub Secret API - NashTech Blog
September 23, 2021 - Now, we’ll see the different operations perform using GitHub Secret API at the repository level. Consider the repo “HelloWorld” with the owner “sakshigawande12“ · lt ists all secrets available in a repository without revealing their encrypted values. You must authenticate using an access token with the repo scope to use this endpoint.
CICube
cicube.io › blog › github-actions-secrets
How to Use Secrets in GitHub Actions Workflows | CICube
October 3, 2024 - On GitHub, navigate to the homepage of your repository. Under the repository name, click Settings. In the left sidebar, click Secrets and variables, then select Actions.
Medium
medium.datadriveninvestor.com › accessing-github-secrets-in-python-d3e758d8089b
Accessing GitHub secrets in Python | by Dipam Vasani | DataDrivenInvestor
April 21, 2021 - To add a new secret, go to your GitHub repository > Settings > Secrets > New Repository Secret. ... I am adding secrets for this repository only, but you can also share them across repositories in your organization.
Spectral
spectralops.io › home › how to use git secrets for better code security
How to Use Git Secrets for Better Code Security - Spectral
May 18, 2024 - Pattern Matching: It compares your code against patterns resembling secrets (API keys, passwords, etc.). Alerts and Prevention: Git Secrets prevents accidental leaks by halting commits containing potential secrets and alerting you immediately. Customization is critical with Git Secrets. While it includes generic patterns to detect shared secrets, you can significantly enhance its effectiveness by defining custom patterns that align with the specific secret formats you use within your organization.
DEV Community
dev.to › msnmongare › how-to-add-github-secrets-easily-step-by-step-guide-3cmh
How to Add GitHub Secrets Easily (Step-by-Step Guide) - DEV Community
September 13, 2025 - Open your repository on GitHub. Click ⚙️ Settings (top navigation). Scroll down to Secrets and variables → Actions. Click New repository secret. ... Click Add secret. That’s it!