Secrets

Table of contents

Secrets

Encrypted secrets allow you to store sensitive information in your repository configuraion.

Name

Since a secret is exposed in workflow as an environment variable, its name should start with a letter and may only contain letters, numbers or underscores(_). Spaces are not allowed.

Security

Secrets can be protected by a branch mask, only allowing it to be used in workflows running on matching branches. For example, deployment keys should only be available to the release or main branch. Using an unrestricted secret in public repository is inherently insecure so it is prohibited. Masks are doublestar aka globstar: **.

Accessing your secret

To make a secret available to a workflow, it must be referred in the workflow configuration file. For more information see Workflow Configuration.

Usage example

workflows:
  - name: deploy
    on:
      push:
        branches: [main]
    env:
      USE_BAZEL_VERSION: "5.1.1"
    secrets:
      - DEPLOY_KEY
    ...