gh-secret
Manage GitHub secrets
TLDR
SYNOPSIS
gh secret command [options]
DESCRIPTION
gh secret manages encrypted secrets for GitHub Actions, Codespaces, and Dependabot. Secrets are encrypted and only exposed to workflows at runtime, providing secure credential storage for CI/CD pipelines.The command supports repository, organization, environment, and user-level secrets. Organization secrets can be scoped to specific repositories via --visibility and --repos. Values are encrypted before transmission and storage. The --app flag selects which application the secret is for (actions, codespaces, or dependabot).
PARAMETERS
list
List secrets.set NAME
Create or update a secret.delete NAME
Delete a secret.--org ORGNAME
Target organization secrets.--env ENVIRONMENT
Target environment secrets.-a, --app APP
Target application: actions, codespaces, or dependabot.-b, --body STRING
Provide the secret value directly (reads from stdin if omitted).-f, --env-file FILE
Import secret names and values from a dotenv-formatted file.--visibility SCOPE
Secret visibility for org secrets (all, private, selected). Default: private.--repos REPOS
Repositories for selected visibility.-u, --user
Set or list a secret for your user (Codespaces).-R, --repo [HOST/]OWNER/REPO
Target a specific repository.--no-store
Output the encrypted, base64-encoded value without storing on GitHub.--help
Display help information.
CAVEATS
Secrets are write-only; values cannot be retrieved. Admin access required for org secrets. Secret names are case-insensitive.
HISTORY
gh secret was added to the GitHub CLI to support GitHub Actions secret management, critical for secure CI/CD workflows.
SEE ALSO
gh(1), gh-secret-set(1), gh-variable(1), gh-run(1)
