Environment Specific Secrets in GitHub Workflows

By Colin Wilson on 03 January, 2021

Environment Specific Secrets in GitHub Workflows

Introduction

If you have different environments enabled in GitHub e.g. Preview and Production, you’re able to configure secrets scoped specifically to those environments. So the value for say a secret named MY_SUPER_SECRET is specific to its corresponding environment.

Step 1 - Set Environment Specific Secrets in Github

On GitHub, navigate to the main page of your repository, click on Settings then in the left sidebar, click Environments. Select an environment from the list e.g. Preview (or create a new one by clicking on New environment).

Click on Add secret

Fill in the details and click Add secret

Step 2 - Using an Environment Specific Secret in a Workflow

Now that the environment specific secret has been added it can be referenced in a workflow.

Note: Running a workflow that references an environment that does not exist will create an environment with the referenced name.

Set the environment the job will reference using the syntax jobs.<job_id>.environment.

The deploy-preview job in the below example is set to reference the Preview environment. This grants it access to secrets set in that environment:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called/with ID "deploy-preview"
  deploy-preview:
    # The type of runner that the job will run on
    runs-on: ubuntu-20.04

    # The environment this job references
    environment:
      name: Preview
      url: ${{ steps.step_name.outputs.url_output }} # optional

You can now consume the secrets in your workflow as normal e.g.

    - name: Build
      run: npm run access_fortress_of_solitude
      env:
        MY_SUPER_SECRET: ${{ secrets.MY_SUPER_SECRET }}

A note about job.<job_id>.environment.url

url maps to environment_url in the deployments API which sets the URL for accessing your environment. This means you can set it to a URL outputted by another step in your job. If you set the url you’ll see something like the below example in the Complete Job section of your deploy logs:

 1. Evaluate and set environment url
 2. Evaluated environment url: https://fortress-of-solitude-f62s6yphd.vercel.app

Your environment and environment URL (if set) will also appear in you repository’s deployments history. Just click Environments on the home page of your repository to view the details.

Comments

Copyright © Colin Wilson 2021 (3e9595d)