Skip to content

Secrets

Secrets

Encrypted secrets allow you to store sensitive information in your repository configuraion.

Name

Since a secret is exposed in workflow as an environment variable, its name should start with a letter and may only contain letters, numbers or underscores(_). Spaces are not allowed.

Security

Secrets can be protected by a branch mask, only allowing to be used in workflows running on matching branches. For example, deployment keys should only be available to release or main branch. Using unrestricted secret in public repository is inherently insecure so it is prohibited. Masks are doublestar aka globstar: **.

Accessing your secret

To make a secret available to a workflow, it must be referred in a workflow configuration file. For more information see Workflow Configuration.

Usage example

workflows:
  - name: deploy
    on:
      push:
        branches: [main]
    env:
      USE_BAZEL_VERSION: "5.1.1"
    secrets:
      - DEPLOY_KEY
    ...