LinuxCommandLibrary

gh-secret

Manage GitHub Actions secrets

TLDR

List secret keys for the current repository

$ gh secret list
copy

List secret keys for a specific organization
$ gh secret list [[-o|--org]] [organization]
copy

List secret keys for a specific repository
$ gh secret list [[-R|--repo]] [owner]/[repository]
copy

Set a secret for the current repository (user will be prompted for the value)
$ gh secret set [name]
copy

Set a secret from a file for the current repository
$ gh secret set [name] < [path/to/file]
copy

Set an organization secret for specific repositories
$ gh secret set [name] [[-o|--org]] [organization] [[-r|--repos]] [repository1,repository2]
copy

Remove a secret for the current repository
$ gh secret remove [name]
copy

Remove a secret for a specific organization
$ gh secret remove [name] [[-o|--org]] [organization]
copy

SYNOPSIS

gh secret <subcommand> [<secret-name>] [options]

PARAMETERS

<secret-name>
    Specifies the name of the secret to manage. This argument is required for the set and delete subcommands.

--body, -b <string>
    The value of the secret to be set. If this option is not provided, the command will read the secret value from standard input (stdin). This flag is used exclusively with the set subcommand.

--env, -e <name>
    Scopes the secret to a specific environment within a repository. This option is used to manage environment-specific secrets and is applicable to the set, delete, and list subcommands.

--org, -o <name>
    Scopes the secret to an entire organization. Use this option to manage organization-wide secrets. Applicable to the set, delete, and list subcommands.

--repos, -r <list>
    A comma-separated list of repository names that an organization secret should be accessible to. This option is used exclusively with organization secrets and the set subcommand.

--visibility, -v <string>
    Sets the visibility of an organization secret. Accepted values are all (accessible to all repositories in the organization), private (accessible only to private repositories), or selected (accessible to specific repositories defined by --repos). Defaults to private if not specified. Used with the set subcommand for organization secrets.

--add-for-repositories
    Used with the set subcommand for organization secrets. This flag adds the repositories specified by --repos to an existing organization secret's access list, rather than replacing the list entirely.

--remove-from-repositories
    Used with the set subcommand for organization secrets. This flag removes the repositories specified by --repos from an existing organization secret's access list.

--app <string>
    Specifies the target application for the secret. Accepted values are actions (for GitHub Actions workflows) or codespaces (for GitHub Codespaces). Defaults to actions if not specified. Applicable to the set, delete, and list subcommands.

DESCRIPTION

The gh secret command is an essential component of the GitHub CLI (gh) tool, designed for secure and programmatic management of sensitive information within GitHub repositories, organizations, and environments. It empowers users to set, retrieve a list of, and delete secrets primarily utilized by GitHub Actions workflows or Codespaces. This command significantly streamlines the integration of confidential data, such as API tokens, private keys, or credentials, into CI/CD pipelines without directly exposing them in code. It supports various scopes for secrets, including specific repositories, organization-wide, or even environment-specific secrets, thereby ensuring fine-grained access control and adherence to robust security best practices.

CAVEATS

The gh secret command requires the GitHub CLI (gh) to be installed and authenticated to your GitHub account.
Secrets are securely stored by GitHub and, once set, their values cannot be directly retrieved (read back) using this command; only their names can be listed or the secrets deleted.
Users must possess appropriate permissions (e.g., admin or write access to a repository, or organization owner/admin roles) to manage secrets effectively within GitHub.

SECURITY BEST PRACTICES

When setting secrets, it is strongly advised to avoid hardcoding sensitive values directly in shell scripts. Instead, use secure input methods such as piping data from stdin (e.g., echo "$MY_SECRET_VALUE" | gh secret set MY_SECRET) or leveraging environment variables to pass values to the --body option securely.

UNDERSTANDING SECRET SCOPES

Familiarize yourself with the different scopes available for secrets: repository (default, for the current repo), environment (for specific environments within a repo), and organization (for secrets accessible across an organization). Choosing the correct scope is crucial for applying the appropriate level of access control and isolation for your sensitive data within your GitHub ecosystem.

APPLICATION TARGETING

Secrets managed by gh secret can be explicitly targeted for use by either GitHub Actions workflows or GitHub Codespaces. This distinction allows for the creation and management of separate sets of credentials tailored to the specific requirements and security contexts of each application, enhancing granular control over sensitive data.

HISTORY

The gh secret command is an integral part of the GitHub CLI, which saw its initial beta release in 2019 and achieved general availability in September 2020. With the escalating adoption of GitHub Actions and Codespaces, the capability for programmatic management of sensitive credentials became critically important for robust CI/CD pipelines. The gh secret command was specifically developed to meet this demand, providing a straightforward command-line interface for securely interacting with GitHub's comprehensive secrets management system. Its evolution has consistently prioritized user-friendliness and adherence to stringent security practices for handling confidential data, integrating secret operations directly into modern developer workflows and automation scripts.

SEE ALSO

gh(1), git(1), gpg(1)

Copied to clipboard