How Secrets Work in GitHub and How to Manage Them

Davide 'CoderDave' BenvegnΓΉ - Apr 29 '21 - - Dev Community

GitHub lets you save your secrets, like credentials, keys, etc., and use them in GitHub Actions.

Let's see how Secrets work in GitHub and how to manage them.

Video

As usual, if you are a visual learner, or simply prefer to watch and listen instead of reading, here you have the video with the whole explanation and demo, which to be fair is much more complete than this post.

Link to the video: https://youtu.be/tXv_npAP90k

If you rather prefer reading, well... let's just continue :)

Secrets Levels

First thing we have to say is that there are 3 levels of secrets you can use in GitHub. Secrets at Organization Level, at Repository Level, and inside GitHub Actions Environments.

Secrets

Organization Secrets

The organization secrets allow you to share secrets to different repositories without the need of duplicating them. They can also be scoped to specific repositories or used in all of them. Remember that they aren't available in the free plan.

Repository Secrets

Repository secrets, instead, as the name says are scoped to single repo. They can be used to override the organization-defined secrets, when using the same name, and are available on the free plan.

Environment Secrets

Finally, the Environments Secrets. They are scoped to a _specific environment, and can override both Organization and repo secrets. They are available on the free plan, but only for public repos.

Secrets Hierarchy

Feature wise, those three levels are equivalent, but they have a different hierarchy and precedence.

Organization secrets are of course defined at the highest level, then we have the repository secrets underneath, and finally the environment secrets, since environments are defined inside a repo.

When the GitHub Actions engine needs to access those secrets, it will first look into environments. If there is no environment secret defined with that name, it will fall back to the repository secrets and use those ones. And again, if there is no secret with that name, GitHub Actions will fall back again to the organization secrets, if you are in a context withing an organization.

If no secret with the given name is found in any of the secrets stores, then you'll get an error.

Create, Update and Manage Secrets

Let's quickly see now how to create, update, and manage those secrets.

β–Ά Check the demo section of the video

Once again, remember that once the secret has been saved, it will not be possible to retrieve its value manually via UI or APIs. Only the GitHub Actions engine will be able to consume it.

Conclusions

Let me know in the comment section below how you manage your secrets and if you want me to cover the integration with 3rd party secrets providers like Azure KeyVault.

Also, you may want to check out this video which talks about GitHub Actions Environments in detail.

Like, share and follow me πŸš€ for more content:

πŸ“½ YouTube
β˜• Buy me a coffee
πŸ’– Patreon
πŸ‘• Merch
πŸ‘¦πŸ» Facebook page
πŸ±β€πŸ’» GitHub
πŸ‘²πŸ» Twitter
πŸ‘΄πŸ» LinkedIn
πŸ”‰ Podcast

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .