GitHub Actions and CI/CD AutomationLesson 5.3

Secrets, Environment Variables, and Contexts

GitHub secrets, environment variables, contexts, github context, env context, secrets context, environment protection rules

Secrets, Environment Variables, and Contexts

Production workflows often need API keys, deployment tokens, and other sensitive values. GitHub provides a secure secrets storage system that keeps these values encrypted and injects them into workflows without exposing them in logs.

DiagramGitHub Actions Secrets and Contexts

IMAGE PROMPT (replace this block with your generated image):

Flat two-section reference diagram on white background. Title: Secrets, Environment Variables, and Contexts. Top section: Secrets Flow. Three boxes in a row. Box 1: GitHub UI — Settings > Secrets and variables > Actions. Shows a form with Name: API_KEY, Value: (masked). Arrow labeled Encrypted at rest. Box 2: Workflow YAML — shows env: API_KEY: ${{ secrets.API_KEY }} in a monospace code snippet. Arrow labeled Injected at runtime (masked in logs). Box 3: Runner — shows the env variable available to the script. Value shown as *** (masked). Bottom section: Contexts Quick Reference. A four-column table. Column headers in #3A5EFF: Context | Example | Returns. Rows: github.sha | ${{ github.sha }} | Commit hash. github.ref | ${{ github.ref }} | Branch or tag ref. github.actor | ${{ github.actor }} | User who triggered. runner.os | ${{ runner.os }} | Linux / Windows / macOS. secrets.NAME | ${{ secrets.API_KEY }} | Encrypted secret value. env.VAR | ${{ env.NODE_ENV }} | Environment variable. White background, monospace for expressions, brand color #3A5EFF for table headers.

Adding Secrets

Go to your repository Settings > Secrets and variables > Actions > New repository secret. Add a name like API_KEY and the value. Secrets are encrypted at rest and masked in workflow logs.

Using Secrets in Workflows

steps:
  - name: Deploy
    run: ./deploy.sh
    env:
      API_KEY: ${{ secrets.API_KEY }}
      DATABASE_URL: ${{ secrets.DATABASE_URL }}

Environment Variables

Set environment variables at the workflow, job, or step level using the env key. Variables set at a broader scope are available to all nested levels:

env:
  NODE_ENV: production

jobs:
  build:
    env:
      BUILD_DIR: ./dist

Contexts

Contexts are collections of information about the run, the repository, the event, and the runner. Common contexts: ${{ github.sha }} gives the commit hash, ${{ github.ref }} gives the branch/tag, ${{ github.actor }} gives the user who triggered the workflow, and ${{ runner.os }} gives the operating system.

Environment Protection Rules

For production deployments, create environments in Settings > Environments and add required reviewers. Workflows deploying to protected environments will pause and wait for manual approval.