Using secrets in a workflow in GitHub

Using secrets in a workflow in GitHub

GitHub Actions allows you to securely reference secrets in workflows to manage sensitive data like API keys, tokens, and other confidential information. Below are examples and guidelines on how to use secrets effectively.

1. Referencing Secrets from the Command Line

Secrets can be used directly within shell commands and scripts in GitHub Actions workflows.

Example: Referencing Secrets in Commands

xxxxxxxxxx
15
1
name: Deploy to Production
2
on:
3
  push:
4
    branches:
5
     - main
6
jobs:
7
  deploy:
8
    runs-on: ubuntu-latest
9
    steps:
10
     - name: Checkout Repository
11
        uses: actions/checkout@v3
12
     - name: Deploy Application
13
        run: |
14
          echo "Deploying to production environment..."
15
          curl -X POST -H "Authorization: Bearer ${{ secrets.DEPLOY_TOKEN }}" https://my-deployment-api.com/deploy

In this example:

The DEPLOY_TOKEN secret is securely referenced in the curl command to authenticate the deployment API request.

2. Using Secrets in Conditional Statements (if:)

Secrets can be conditionally used within GitHub Actions by using if: statements to control workflow behavior based on secret values.

Example: Using Secrets in Conditionals

xxxxxxxxxx
15
1
name: Check Environment
2
on:
3
  push:
4
    branches:
5
     - main
6
jobs:
7
  check:
8
    runs-on: ubuntu-latest
9
    steps:
10
     - name: Checkout Repository
11
        uses: actions/checkout@v3
12
     - name: Check Deployment
13
        if: ${{ secrets.DEPLOY_TOKEN }}
14
        run: |
15
          echo "Deploy token exists, proceeding with deployment"

In this example:

The deployment step only runs if the DEPLOY_TOKEN secret exists.

3. Limitations of Secrets in GitHub Actions

While GitHub Secrets are secure, there are some limitations and considerations:

1. Scope: Secrets can only be used in workflows triggered by certain events, such as pushes, pull requests, or scheduled workflows.

2. Visibility: Secrets are only available to the workflow they are defined for and cannot be shared across workflows or between repositories without a custom solution.

3. Environment Size: Secrets are limited in size (currently 512 KB per secret).

4. Runtime Limitations: Secrets are not available during some steps, such as within Docker containers or virtual environments.

5. Retention: Secrets can be manually deleted or rotated, but old values may still be retained for a short period due to caching.

4. Example Using Secrets in a More Complex Workflow

xxxxxxxxxx
22
1
name: Publish Docker Image
2
on:
3
  push:
4
    branches:
5
     - main
6
jobs:
7
  build:
8
    runs-on: ubuntu-latest
9
    steps:
10
     - name: Checkout Repository
11
        uses: actions/checkout@v3
12
     - name: Login to Docker Hub
13
        uses: docker/login-action@v2
14
        with:
15
          username: ${{ secrets.DOCKER_USERNAME }}
16
          password: ${{ secrets.DOCKER_PASSWORD }}
17
     - name: Build Docker Image
18
        run: |
19
          docker build -t my-app:latest .
20
     - name: Push Docker Image
21
        run: |
22
          docker push my-app:latest

In this example:

The DOCKER_USERNAME and DOCKER_PASSWORD secrets are used to authenticate and push the Docker image securely.

Summary

By effectively using GitHub Secrets, you can ensure secure handling of sensitive information in your GitHub Actions workflows.