Secrets, Environment Variables, and Contexts
GitHub secrets, environment variables, contexts, github context, env context, secrets context, environment protection rules
Secrets, Environment Variables, and Contexts
Production workflows often need API keys, deployment tokens, and other sensitive values. GitHub provides a secure secrets storage system that keeps these values encrypted and injects them into workflows without exposing them in logs.
Adding Secrets
Go to your repository Settings > Secrets and variables > Actions > New repository secret. Add a name like API_KEY and the value. Secrets are encrypted at rest and masked in workflow logs.
Using Secrets in Workflows
steps:
- name: Deploy
run: ./deploy.sh
env:
API_KEY: ${{ secrets.API_KEY }}
DATABASE_URL: ${{ secrets.DATABASE_URL }}Environment Variables
Set environment variables at the workflow, job, or step level using the env key. Variables set at a broader scope are available to all nested levels:
env:
NODE_ENV: production
jobs:
build:
env:
BUILD_DIR: ./distContexts
Contexts are collections of information about the run, the repository, the event, and the runner. Common contexts: ${{ github.sha }} gives the commit hash, ${{ github.ref }} gives the branch/tag, ${{ github.actor }} gives the user who triggered the workflow, and ${{ runner.os }} gives the operating system.
Environment Protection Rules
For production deployments, create environments in Settings > Environments and add required reviewers. Workflows deploying to protected environments will pause and wait for manual approval.