DEV Community

Play Button Pause Button
Brian Douglas for GitHub

Posted on • Updated on

Environment Scoped Secrets for GitHub Action Workflows

Secrets are encrypted environment variables that you create in an organization, repository, or environment. These secrets are also available to use in GitHub Actions workflows.

GitHub uses the open-source libsodium encryption library to ensure that secrets are encrypted before reaching GitHub and remaining encrypted until you use them in a workflow.

GitHub logo jedisct1 / libsodium

A modern, portable, easy to use crypto library.

Organization-level Secrets

For secrets stored at the organization-level, you can use access policies to control which repositories can use organization secrets. Organization-level secrets let you share secrets between multiple repositories, which reduces the need for creating duplicating secrets. Updating an organization secret in one location also ensures that the change takes effect in all repository workflows that use that secret.

select org level repo secrets

Repository Environment Secrets

For secrets stored at the environment level, you can enable required reviewers to control access to the secrets. A workflow job cannot access environment secrets until the required approvers approve.

environment based secrets

In my examples, I have a DATABASE_URL secret specifically for my staging environment.

If you want to see, this live in an action. Check out this GitHub Universe talk from Chris Patterson (GitHub Action PM).

This is part of my 28 days of Actions series. To get notified of more GitHub Action tips, follow the GitHub organization right here on Dev. Learn how to build action with Node.js

Top comments (0)