Environment Specific Secrets in GitHub Workflows
By Colin Wilson on 03 January, 2021
Introduction
If you have different environments enabled in GitHub e.g. Preview and Production, you’re able to configure secrets scoped specifically to those environments. So the value for say a secret named MY_SUPER_SECRET is specific to its corresponding environment.
Step 1 - Set Environment Specific Secrets in Github
On GitHub, navigate to the main page of your repository, click on Settings then in the left sidebar, click Environments. Select an environment from the list e.g. Preview (or create a new one by clicking on New environment).
Click on Add secret
Fill in the details and click Add secret
Step 2 - Using an Environment Specific Secret in a Workflow
Now that the environment specific secret has been added it can be referenced in a workflow.
Note: Running a workflow that references an environment that does not exist will create an environment with the referenced name.
Set the environment the job will reference using the syntax jobs.<job_id>.environment.
The deploy-preview job in the below example is set to reference the Preview environment. This grants it access to secrets set in that environment:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called/with ID "deploy-preview"
deploy-preview:
# The type of runner that the job will run on
runs-on: ubuntu-20.04
# The environment this job references
environment:
name: Preview
url: ${{ steps.step_name.outputs.url_output }} # optional
You can now consume the secrets in your workflow as normal e.g.
- name: Build
run: npm run access_fortress_of_solitude
env:
MY_SUPER_SECRET: ${{ secrets.MY_SUPER_SECRET }}
A note about job.<job_id>.environment.url
url maps to environment_url in the deployments API which sets the URL for accessing your environment. This means you can set it to a URL outputted by another step in your job. If you set the url you’ll see something like the below example in the Complete Job section of your deploy logs:
1. Evaluate and set environment url
2. Evaluated environment url: https://fortress-of-solitude-f62s6yphd.vercel.app
Your environment and environment URL (if set) will also appear in you repository’s deployments history. Just click Environments on the home page of your repository to view the details.
