docs
GitHub CI/CD Deployment
Secrets/Variables

GitHub Actions Secrets and Variables 🔐

In GitHub Actions, secrets and variables are critical components for securely managing sensitive information and environment-specific configurations within your CI/CD workflows. These ensure that credentials, API keys, and other sensitive data are not exposed in your repository.

What Are Secrets? 🤫

Secrets in GitHub Actions are encrypted values that are stored securely in your repository or organization. They are often used for sensitive information such as:

  • API keys
  • Database credentials
  • AWS access keys
  • Any other private data

What Are Variables? 🤫

Variables in GitHub Actions are NOT encrypted and store non-sensitive information such as:

  • Environment names (i.e. "staging" or "production")
  • Service URLs

Defining Secrets & Variables 🛡️

You can define them either at the repository level or at the organization level. Once defined, they are available for use in your workflows. We will setup in the repository level.

Setting Up at the Repository Level:

  1. Navigate to your GitHub repository.
  2. Go to Settings.
  3. Under Security, click Secrets and variables and select Actions.
  4. On the Secrets tab, click New repository secret. We will add the name/value here.
  5. On the Variables tab, click New repository variable. We will add the name/value here.

Create Permission Set

Using Secrets and Variables in GitHub Actions 🚀

Once a secret or variable is defined, it can be accessed in your workflow using the secrets or vars context.

Here’s a basic example in .github/workflows/main.yml:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::${{ secrets.PROD_AWS_ACCOUNT_ID }}
          role-session-name: ${{ secrets.AWS_OIDC_DEPLOY_ROLE }}
          aws-region: ${{ vars.AWS_REGION }}