CloudShell Academy LogoCloudShell Academy
Log InSign Up
AcademyPipeline Pilot: The CI/CD Flight ManualAltitude 3: Stealth Mode (Secrets)

Managing Secrets

Never hardcode API keys, database passwords, or deployment tokens in your code or YAML files!

GitHub provides Repository Secrets. These are encrypted environment variables that you configure in the repository settings (Settings > Secrets and variables > Actions).

Accessing Secrets

Secrets are accessed via the ${{ secrets.SECRET_NAME }} context.

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Deploy to AWS
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        run: |
          aws s3 cp build/ s3://my-bucket/ --recursive

GitHub automatically redacts secrets from the action logs, replacing them with ***.

booting...

Mission Control

Reference a secret

Expected Command

echo '${{ secrets.API_KEY }}' > secret_test.yml
Previous: Encrypted Cargo: Managing SecretsNext: Pressure Test: Unit Testing