Skip to content

Repo sync #39221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 7, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions content/actions/concepts/security/index.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
---
title: Security in GitHub Actions
shortTitle: Security
intro: "Learn about security as a concept in GitHub Actions."
intro: Learn about security as a concept in GitHub Actions.
versions:
fpt: '*'
ghes: '*'
ghec: '*'
children:
- /about-secrets
- /secrets
- /about-security-hardening-with-openid-connect
---

Original file line number Diff line number Diff line change
@@ -1,45 +1,31 @@
---
title: About secrets
intro: 'Learn about secrets as they''re used in GitHub Actions.'
title: Secrets
intro: Learn about secrets as they are used in {% data variables.product.prodname_actions %} workflows.
versions:
fpt: '*'
ghes: '*'
ghec: '*'
redirect_from:
- /actions/security-for-github-actions/security-guides/about-secrets
- /actions/concepts/security/about-secrets
---

{% data reusables.actions.enterprise-github-hosted-runners %}

## About secrets

Secrets allow you to store sensitive information in your organization, repository, or repository environments. Secrets are variables that you create to use in {% data variables.product.prodname_actions %} workflows in an organization, repository, or repository environment.

{% data variables.product.prodname_actions %} can only read a secret if you explicitly include the secret in a workflow.

## Naming your secrets

>[!TIP]
> To help ensure that {% data variables.product.prodname_dotcom %} redacts your secrets in logs correctly, avoid using structured data as the values of secrets.
The following rules apply to secret names:

{% data reusables.actions.actions-secrets-and-variables-naming %}

{% data reusables.codespaces.secret-precedence %} Similarly, if an organization, repository, and environment all have a secret with the same name, the environment-level secret takes precedence.

## Using your secrets in workflows

{% data reusables.actions.secrets-redaction-warning %}
## Organization-level secrets

{% data reusables.actions.secrets-org-level-overview %}

When creating a secret for an organization, you can use a policy to limit access by repository. For example, you can grant access to all repositories, or limit access to only private repositories or a specified list of repositories.

For environment secrets, you can enable required reviewers to control access to the secrets. A workflow job cannot access environment secrets until approval is granted by required approvers.

To make a secret available to an action, you must set the secret as an input or environment variable in your workflow file. Review the action's README file to learn about which inputs and environment variables the action expects. See [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv).

Organization and repository secrets are read when a workflow run is queued, and environment secrets are read when a job referencing the environment starts.

## Limiting credential permissions

When generating credentials, we recommend that you grant the minimum permissions possible. For example, instead of using personal credentials, use [deploy keys](/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys) or a service account. Consider granting read-only permissions if that's all that is needed, and limit access as much as possible.
Expand All @@ -48,6 +34,18 @@ When generating a {% data variables.product.pat_v1 %}, select the fewest scopes

Instead of using a {% data variables.product.pat_generic %}, consider using a {% data variables.product.prodname_github_app %}, which uses fine-grained permissions and short lived tokens, similar to a {% data variables.product.pat_v2 %}. Unlike a {% data variables.product.pat_generic %}, a {% data variables.product.prodname_github_app %} is not tied to a user, so the workflow will continue to work even if the user who installed the app leaves your organization. For more information, see [AUTOTITLE](/apps/creating-github-apps/guides/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow).

## Automatically redacted secrets

{% data variables.product.prodname_actions %} automatically redacts the contents of all {% data variables.product.prodname_dotcom %} secrets that are printed to workflow logs.

{% data variables.product.prodname_actions %} also redacts information that is recognized as sensitive, but is not stored as a secret. For a list of automatically redacted secrets, see [AUTOTITLE](/actions/reference/secrets-reference#automatically-redacted-secrets).

> [!NOTE] If you would like other types of sensitive information to be automatically redacted, please reach out to us in our [community discussions](https://github.com/orgs/community/discussions?discussions_q=is%3Aopen+label%3AActions).
As a habit of best practice, you should mask all sensitive information that is not a {% data variables.product.prodname_dotcom %} secret by using `::add-mask::VALUE`. This causes the value to be treated as a secret and redacted from logs. For more information about masking data, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#masking-a-value-in-a-log).

Redacting of secrets is performed by your workflow runners. This means a secret will only be redacted if it was used within a job and is accessible by the runner. If an unredacted secret is sent to a workflow run log, you should delete the log and rotate the secret. For information on deleting logs, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#deleting-logs).

## Further reading

* [AUTOTITLE](/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ You can set your own custom variables or use the default environment variables t
You can set a custom variable in two ways.

* To define an environment variable for use in a single workflow, you can use the `env` key in the workflow file. For more information, see [Defining environment variables for a single workflow](/actions/how-tos/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#defining-environment-variables-for-a-single-workflow).
* To define a configuration variable across multiple workflows, you can define it at the organization, repository, or environment level. For more information, see [Defining configuration variables for multiple workflows](/actions/how-tos/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#defining-configuration-variables-for-multiple-workflows).
* To define a configuration variable across multiple workflows, you can define it at the organization, repository, or environment level. When creating a variable in an organization, you can use a policy to limit access by repository. For example, you can grant access to all repositories, or limit access to only private repositories or a specified list of repositories. For more information, see [Defining configuration variables for multiple workflows](/actions/how-tos/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#defining-configuration-variables-for-multiple-workflows).

> [!WARNING]
> By default, variables render unmasked in your build outputs. If you need greater security for sensitive information, such as passwords, use secrets instead. For more information, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/about-secrets).
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
title: Using secrets in GitHub Actions
shortTitle: Using secrets
intro: 'Secrets allow you to store sensitive information in your organization, repository, or repository environments.'
intro: 'Learn how to create secrets at the repository, environment, and organization levels for {% data variables.product.prodname_actions %} workflows.'
redirect_from:
- /github/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets
- /actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets
Expand All @@ -19,10 +19,6 @@ versions:
ghec: '*'
---

{% data reusables.actions.enterprise-github-hosted-runners %}

For general information about secrets, see [AUTOTITLE](/actions/security-for-github-actions/security-guides/about-secrets).

## Creating secrets for a repository

{% data reusables.actions.permissions-statement-secrets-variables-repository %}
Expand All @@ -45,8 +41,6 @@ If your repository has environment secrets or can access secrets from the parent

{% cli %}

{% data reusables.cli.cli-learn-more %}

To add a repository secret, use the `gh secret set` subcommand. Replace `secret-name` with the name of your secret.

```shell
Expand Down Expand Up @@ -172,6 +166,8 @@ You can check which access policies are being applied to a secret in your organi
> * Secrets are not automatically passed to reusable workflows. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow).
> {% data reusables.actions.about-oidc-short-overview %}
> [!WARNING] Mask all sensitive information that is not a {% data variables.product.prodname_dotcom %} secret by using `::add-mask::VALUE`. This causes the value to be treated as a secret and redacted from logs.
To provide an action with a secret as an input or environment variable, you can use the `secrets` context to access secrets you've created in your repository. For more information, see [AUTOTITLE](/actions/learn-github-actions/contexts) and [AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions).

{% raw %}
Expand Down Expand Up @@ -240,19 +236,7 @@ steps:

{% endraw %}

## Limits for secrets

You can store up to 1,000 organization secrets, 100 repository secrets, and 100 environment secrets.

A workflow created in a repository can access the following number of secrets:

* All 100 repository secrets.
* If the repository is assigned access to more than 100 organization secrets, the workflow can only use the first 100 organization secrets (sorted alphabetically by secret name).
* All 100 environment secrets.

Secrets are limited to 48 KB in size. To store larger secrets, see the [Storing large secrets](#storing-large-secrets) workaround below.

### Storing large secrets
## Storing large secrets

To use secrets that are larger than 48 KB, you can use a workaround to store secrets in your repository and save the decryption passphrase as a secret on {% data variables.product.prodname_dotcom %}. For example, you can use `gpg` to encrypt a file containing your secret locally before checking the encrypted file in to your repository on {% data variables.product.prodname_dotcom %}. For more information, see the [gpg manpage](https://www.gnupg.org/gph/de/manual/r1023.html).

Expand Down Expand Up @@ -330,7 +314,8 @@ To use secrets that are larger than 48 KB, you can use a workaround to store sec
You can use Base64 encoding to store small binary blobs as secrets. You can then reference the secret in your workflow and decode it for use on the runner. For the size limits, see [AUTOTITLE](/actions/security-guides/using-secrets-in-github-actions#limits-for-secrets).

> [!NOTE]
> Note that Base64 only converts binary to text, and is not a substitute for actual encryption.
> * Note that Base64 only converts binary to text, and is not a substitute for actual encryption.
> * Using another shell might require different commands for decoding the secret to a file. On Windows runners, we recommend [using a bash shell](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell) with `shell: bash` to use the commands in the `run` step above.

1. Use `base64` to encode your file into a Base64 string. For example:

Expand Down Expand Up @@ -374,33 +359,3 @@ You can use Base64 encoding to store small binary blobs as secrets. You can then
run: |
openssl x509 -in cert.der -inform DER -text -noout
```

> [!NOTE]
> Using another shell might require different commands for decoding the secret to a file. On Windows runners, we recommend [using a bash shell](/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell) with `shell: bash` to use the commands in the `run` step above.

## Redacting secrets from workflow run logs

{% data variables.product.prodname_actions %} automatically redacts the contents of all {% data variables.product.prodname_dotcom %} secrets that are printed to workflow logs.

{% data variables.product.prodname_actions %} also redacts information that is recognized as sensitive, but is not stored as a secret. Currently {% data variables.product.prodname_dotcom %} supports the following:

* 32-byte and 64-byte Azure keys
* Azure AD client app passwords
* Azure Cache keys
* Azure Container Registry keys
* Azure Function host keys
* Azure Search keys
* Database connection strings
* HTTP Bearer token headers
* JWTs
* NPM author tokens
* NuGet API keys
* v1 GitHub installation tokens
* v2 GitHub installation tokens (`ghp`, `gho`, `ghu`, `ghs`, `ghr`)
* v2 GitHub PATs

> [!NOTE] If you would like other types of sensitive information to be automatically redacted, please reach out to us in our [community discussions](https://github.com/orgs/community/discussions?discussions_q=is%3Aopen+label%3AActions).

As a habit of best practice, you should mask all sensitive information that is not a {% data variables.product.prodname_dotcom %} secret by using `::add-mask::VALUE`. This causes the value to be treated as a secret and redacted from logs. For more information about masking data, see [AUTOTITLE](/actions/using-workflows/workflow-commands-for-github-actions#masking-a-value-in-a-log).

Redacting of secrets is performed by your workflow runners. This means a secret will only be redacted if it was used within a job and is accessible by the runner. If an unredacted secret is sent to a workflow run log, you should delete the log and rotate the secret. For information on deleting logs, see [AUTOTITLE](/actions/monitoring-and-troubleshooting-workflows/using-workflow-run-logs#deleting-logs).
1 change: 1 addition & 0 deletions content/actions/reference/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ children:
- /events-that-trigger-workflows
- /workflow-commands-for-github-actions
- /variables-reference
- /secrets-reference
- /evaluate-expressions-in-workflows-and-actions
- /contexts-reference
- /metadata-syntax-reference
Expand Down
55 changes: 55 additions & 0 deletions content/actions/reference/secrets-reference.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
---
title: Secrets reference
shortTitle: Secrets reference
intro: 'Find technical information about secrets in {% data variables.product.prodname_actions %}.'
versions:
fpt: '*'
ghec: '*'
ghes: '*'
---

## Naming your secrets

>[!TIP]
> To help ensure that {% data variables.product.prodname_dotcom %} redacts your secrets in logs correctly, avoid using structured data as the values of secrets.
The following rules apply to secret names:

{% data reusables.actions.actions-secrets-and-variables-naming %}

{% data reusables.codespaces.secret-precedence %} Similarly, if an organization, repository, and environment all have a secret with the same name, the environment-level secret takes precedence.

## Limits for secrets

You can store up to 1,000 organization secrets, 100 repository secrets, and 100 environment secrets.

A workflow created in a repository can access the following number of secrets:

* All 100 repository secrets.
* If the repository is assigned access to more than 100 organization secrets, the workflow can only use the first 100 organization secrets (sorted alphabetically by secret name).
* All 100 environment secrets.

Secrets are limited to 48 KB in size. To store larger secrets, see [AUTOTITLE](/actions/how-tos/security-for-github-actions/security-guides/using-secrets-in-github-actions#storing-large-secrets).

## When {% data variables.product.prodname_actions %} reads secrets

Organization and repository secrets are read when a workflow run is queued, and environment secrets are read when a job referencing the environment starts.

## Automatically redacted secrets

{% data variables.product.prodname_dotcom %} automatically redacts the following sensitive information from workflow logs.

* 32-byte and 64-byte Azure keys
* Azure AD client app passwords
* Azure Cache keys
* Azure Container Registry keys
* Azure Function host keys
* Azure Search keys
* Database connection strings
* HTTP Bearer token headers
* JWTs
* NPM author tokens
* NuGet API keys
* v1 GitHub installation tokens
* v2 GitHub installation tokens (`ghp`, `gho`, `ghu`, `ghs`, `ghr`)
* v2 GitHub PATs
Original file line number Diff line number Diff line change
Expand Up @@ -92,15 +92,13 @@ If you use **{% data variables.copilot.copilot_free_short %}**, you have access
|-------------------------------------------------------------------------|--------------------------------|-----------------------|
| {% data variables.copilot.copilot_gpt_41 %} | 0 | 1 |
| {% data variables.copilot.copilot_gpt_4o %} | 0 | 1 |
| {% data variables.copilot.copilot_gpt_45 %} | 50 | Not applicable |
| {% data variables.copilot.copilot_claude_sonnet_35 %} | 1 | 1 |
| {% data variables.copilot.copilot_claude_sonnet_37 %} | 1 | Not applicable |
| {% data variables.copilot.copilot_claude_sonnet_37 %} Thinking | 1.25 | Not applicable |
| {% data variables.copilot.copilot_claude_sonnet_40 %} | 1 | Not applicable |
| {% data variables.copilot.copilot_claude_opus %} | 10 | Not applicable |
| {% data variables.copilot.copilot_gemini_flash %} | 0.25 | 1 |
| {% data variables.copilot.copilot_gemini_25_pro %} | 1 | Not applicable |
| {% data variables.copilot.copilot_o1 %} | 10 | Not applicable |
| {% data variables.copilot.copilot_o3 %} | 1 | Not applicable |
| {% data variables.copilot.copilot_o3_mini %} | 0.33 | 1 |
| {% data variables.copilot.copilot_o4_mini %} | 0.33 | Not applicable |
Expand All @@ -111,6 +109,6 @@ If you use **{% data variables.copilot.copilot_free_short %}**, you have access

Premium request usage is based on the model’s multiplier and the feature you’re using. For example:

* **Using {% data variables.copilot.copilot_gpt_45 %} in {% data variables.copilot.copilot_chat_short %}**: With a 50× multiplier, one interaction counts as 50 premium requests.
* **Using {% data variables.copilot.copilot_claude_opus %} in {% data variables.copilot.copilot_chat_short %}**: With a 10× multiplier, one interaction counts as 10 premium requests.
* **Using {% data variables.copilot.copilot_gpt_41 %} on {% data variables.copilot.copilot_free_short %}**: Each interaction counts as 1 premium request.
* **Using {% data variables.copilot.copilot_gpt_41 %} on a paid plan**: No premium requests are consumed.
Loading
Loading