跳到主要内容

Use Secrets to Manage Sensitive Information

Applicable Scenarios

The pipeline needs to use sensitive information such as passwords, API keys, and access credentials, but does not want to hardcode them in the workflow file or code repository.

Configuration Instructions

Create a Secret

Organization-level Secret:

  1. Go to Organization Settings → Secrets and Variables → Organization Secrets.
  2. Click New Organization Secret.
  3. Enter Name (e.g., PROD_DEPLOY_KEY) and Value.
  4. Click New Secret.

Repository-level Secret:

  1. Go to Repository Settings → Secrets and Variables → Repository Secrets.
  2. Click New Repository Secret.
  3. Enter Name and Value.
  4. Click New Secret.

Reference a Secret in the Workflow

# Use Secrets to Manage Sensitive Information
stages:
- name: deploy
jobs:
- name: push-to-prod
runs-on: {ubuntu-24,x64,medium}
steps:
- run: |
ssh -i ${{ secrets.PROD_DEPLOY_KEY }} \
user@prod-server.example.com \
"deploy.sh ${{ secrets.PROD_API_TOKEN }}"

The reference syntax is ${{ secrets.SECRET_NAME }}, and the secret name rules are:

  • Only uppercase letters, numbers, and underscores are allowed
  • Must not start with ATOMGIT_ (to avoid conflict with system variables)
  • Must not start with a number

Use Secret in Container Credentials

jobs:
- name: private-image-build
runs-on: {ubuntu-24,x64,medium}
container:
image: registry.example.com/myapp:latest
credentials:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}

Secret Security Mechanisms

Security MeasuresDescription
Log MaskingSecret values are automatically replaced with *** in logs
Not ViewableAfter creation, the original value cannot be viewed in the interface, only updated or overwritten
Fork IsolationWorkflows triggered by pull_request from a fork cannot access repository-level secrets
Environment ApprovalEnvironment-level secrets can be configured with approvers; jobs cannot access them without approval

Important: In the pull_request event, workflows triggered by PRs from fork repositories cannot read repository secrets. This is a security isolation mechanism. If you need to use secrets in a PR pipeline, use the pull_request_target event.