LinuxCommandLibrary

gh-secret

Manage GitHub Actions secrets

TLDR

List secret keys for the current repository

$ gh secret [[ls|list]]
copy

List secret keys for a specific organization
$ gh secret [[ls|list]] [[-o|--org]] [organization]
copy

List secret keys for a specific repository
$ gh secret [[ls|list]] [[-R|--repo]] [owner]/[repository]
copy

Set a secret for the current repository (user will be prompted for the value)
$ gh secret set [name]
copy

Set a secret from a file for the current repository
$ gh < [path/to/file] secret set [name]
copy

Set an organization secret for specific repositories
$ gh secret set [name] [[-o|--org]] [organization] [[-r|--repos]] [repository1,repository2]
copy

Remove a secret for the current repository
$ gh secret remove [name]
copy

Remove a secret for a specific organization
$ gh secret remove [name] [[-o|--org]] [organization]
copy

SYNOPSIS

gh secret <list|set|delete|view> [flags]

PARAMETERS

list
    List all secrets for repo, env, or org

set <NAME>
    Set or update a secret value (prompts or from file)

delete <NAME>
    Permanently delete a secret

view <NAME>
    Display secret value (visible only to authorized users)

-R, --repo [<HOST/>]OWNER/REPO
    Target specific repository

--env <ENVIRONMENT>
    Target specific environment

--org <ORGANIZATION>
    Target organization secrets

-f, --file <file>
    Read secret from file (for set)

--body <text>
    Read secret value from string (for set)

--json
    Output secrets as JSON (for list)

--jq <expression>
    Filter JSON output with jq (for list)

--limit <max>
    Limit number of secrets listed (for list)

DESCRIPTION

The gh secret command, part of the GitHub CLI (gh), enables management of encrypted secrets used in GitHub Actions workflows for repositories, environments, and organizations.

It supports listing, setting, viewing, and deleting secrets directly from the terminal, streamlining CI/CD secret handling without browser access.

Secrets are base64-encoded and encrypted by GitHub, accessible only during workflow runs. Common use cases include API tokens, deploy keys, or credentials for automated deployments.

For instance, gh secret set AWS_KEY securely prompts for input and uploads it. List with gh secret list, targeting specific repos via --repo or orgs via --org. Environment-specific secrets use --env.

Requires authentication via gh auth login with appropriate repo/org permissions. Integrates seamlessly with Git workflows.

CAVEATS

Requires gh auth login with secrets:write permission. Viewing prints plaintext—avoid in shared terminals. No bulk operations; rate-limited by GitHub API. Not for user/org-level secrets outside repo/org context.

EXAMPLES

gh secret set TOKEN (interactive)
gh secret set TOKEN -f key.txt --repo owner/repo
gh secret list --org myorg --json | jq '.[].name'

SECURITY NOTE

Never commit secrets to git; use gh secret or git filter-repo to scrub history.

HISTORY

Introduced in GitHub CLI v0.5.0 (April 2020) as part of early gh releases to support Actions secrets. Evolved with env/org support in v1.x; actively maintained by GitHub.

SEE ALSO

gh(1), git(1)

Copied to clipboard