Use Secrets to Manage Sensitive Information
Applicable Scenarios
The pipeline needs to use sensitive information such as passwords, API keys, and access credentials, but does not want to hardcode them in the workflow file or code repository.
Configuration Instructions
Create a Secret
Organization-level Secret:
- Go to Organization Settings → Secrets and Variables → Organization Secrets.
- Click New Organization Secret.
- Enter Name (e.g.,
PROD_DEPLOY_KEY) and Value. - Click New Secret.
Repository-level Secret:
- Go to Repository Settings → Secrets and Variables → Repository Secrets.
- Click New Repository Secret.
- Enter Name and Value.
- Click New Secret.
Reference a Secret in the Workflow
# Use Secrets to Manage Sensitive Information
stages:
- name: deploy
jobs:
- name: push-to-prod
runs-on: {ubuntu-24,x64,medium}
steps:
- run: |
ssh -i ${{ secrets.PROD_DEPLOY_KEY }} \
user@prod-server.example.com \
"deploy.sh ${{ secrets.PROD_API_TOKEN }}"
The reference syntax is ${{ secrets.SECRET_NAME }}, and the secret name rules are:
- Only uppercase letters, numbers, and underscores are allowed
- Must not start with
ATOMGIT_(to avoid conflict with system variables) - Must not start with a number
Use Secret in Container Credentials
jobs:
- name: private-image-build
runs-on: {ubuntu-24,x64,medium}
container:
image: registry.example.com/myapp:latest
credentials:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
Secret Security Mechanisms
| Security Measures | Description |
|---|---|
| Log Masking | Secret values are automatically replaced with *** in logs |
| Not Viewable | After creation, the original value cannot be viewed in the interface, only updated or overwritten |
| Fork Isolation | Workflows triggered by pull_request from a fork cannot access repository-level secrets |
| Environment Approval | Environment-level secrets can be configured with approvers; jobs cannot access them without approval |
Important: In the
pull_requestevent, workflows triggered by PRs from fork repositories cannot read repository secrets. This is a security isolation mechanism. If you need to use secrets in a PR pipeline, use thepull_request_targetevent.