TopicTrick Logo
Topictrick
DevOpsGitHub

GitHub Actions: Secrets and Environments

TT
TopicTrick Team
GitHub Actions: Secrets and Environments
← Back to GitHub Mastery

GitHub Actions: Secrets and Environments

1. Encrypted Secrets: The Vault

To add a secret: Settings -> Secrets -> Actions.

  • Once you add AWS_KEY, GitHub encrypts it.
  • In your YAML: ${{ secrets.AWS_KEY }}.
  • The Safety Feature: If your action tries to echo the secret to the log, GitHub will detect it and replace the password with ***. It is impossible for a developer to "Accidentally" leak a password in the logs.

2. Environments: Staging vs. Production

You don't want your "Testing" server and your "Money" server to have the same password.

  • You create an Environment called "Production."
  • You add a secret that only exists IN that environment.
  • The Rule: When the action runs, it must "Target" the environment to get the correct keys.

3. Deployment Protection Rules

This is the #1 feature for professional teams in 2026.

  • You can tell the "Production" environment: "Wait for 2 Senior Developers to click 'Approve' before you release this code."
  • This prevents a junior developer from accidentally "Auto-deploying" a bug to 10 million users on a Saturday.

4. OIDC: The "Secret-less" Password

In 2026, we are moving away from "Hard-coded Keys" entirely.

  • Using OpenID Connect (OIDC), your GitHub Action can "Prove" it is your repo to AWS without a password.
  • AWS trusts a "Signed Token" from GitHub.
  • The Benefit: There is no password for a hacker to steal! If they break into your computer, they won't find any keys in your Bash history.

Frequently Asked Questions

What happens if I forget a secret? You can't "See" a secret once it's added. If you lose the password, you have to "Reset" it and add a new one. This is a security feature to ensure that "Old" passwords aren't floating around in the UI.

Should I use Organization Secrets? If you have 50 different repositories that all use the same "Slack Webhook" for notifications, add it as an Organization Secret. This way, you only have to update it in ONE place when the password changes.

Key Takeaway

Secrets are the "Fuel" of your automation. By mastering the vault and the discipline of OIDC, you gain the ability to build massive global infrastructures with zero risk of theft. You graduate from "Managing passwords" to "Architecting Secure Automation."

Read next: Continuous Integration: Building a Bulletproof Pipeline →

Part of the GitHub Mastery Course — engineering the security.