GitHub lets you save your secrets, like credentials, keys, etc., and use them in GitHub Actions.
Let's see how Secrets work in GitHub and how to manage them.
As usual, if you are a visual learner, or simply prefer to watch and listen instead of reading, here you have the video with the whole explanation and demo, which to be fair is much more complete than this post.
If you rather prefer reading, well... let's just continue :)
First thing we have to say is that there are 3 levels of secrets you can use in GitHub. Secrets at Organization Level, at Repository Level, and inside GitHub Actions Environments.
The organization secrets allow you to share secrets to different repositories without the need of duplicating them. They can also be scoped to specific repositories or used in all of them. Remember that they aren't available in the free plan.
Repository secrets, instead, as the name says are scoped to single repo. They can be used to override the organization-defined secrets, when using the same name, and are available on the free plan.
Finally, the Environments Secrets. They are scoped to a _specific environment, and can override both Organization and repo secrets. They are available on the free plan, but only for public repos.
Feature wise, those three levels are equivalent, but they have a different hierarchy and precedence.
Organization secrets are of course defined at the highest level, then we have the repository secrets underneath, and finally the environment secrets, since environments are defined inside a repo.
When the GitHub Actions engine needs to access those secrets, it will first look into environments. If there is no environment secret defined with that name, it will fall back to the repository secrets and use those ones. And again, if there is no secret with that name, GitHub Actions will fall back again to the organization secrets, if you are in a context withing an organization.
If no secret with the given name is found in any of the secrets stores, then you'll get an error.
Let's quickly see now how to create, update, and manage those secrets.
▶ Check the demo section of the video
Once again, remember that once the secret has been saved, it will not be possible to retrieve its value manually via UI or APIs. Only the GitHub Actions engine will be able to consume it.
Let me know in the comment section below how you manage your secrets and if you want me to cover the integration with 3rd party secrets providers like Azure KeyVault.
Also, you may want to check out this video which talks about GitHub Actions Environments in detail.
Like, share and follow me 🚀 for more content: