LinuxCommandLibrary

gh-secret-set

Set GitHub Actions secrets

TLDR

Set a secret for the current repository (user will be prompted for the value)

$ gh secret set [name]
copy

Set a secret from a file for the current repository
$ gh < [path/to/file] secret set [name]
copy

Set a secret for a specific repository
$ gh secret set [name] [[-b|--body]] [value] [[-R|--repo]] [owner]/[repository]
copy

Set an organization secret for specific repositories
$ gh secret set [name] [[-o|--org]] [organization] [[-r|--repos]] "[repository1,repository2,...]"
copy

Set an organization secret with a specific visibility
$ gh secret set [name] [[-o|--org]] [organization] [[-v|--visibility]] [all|private|selected]
copy

SYNOPSIS

gh secret set <NAME> [--body <VALUE>] [--repo <REPOSITORY>] [--org <ORGANIZATION>] [--env <ENVIRONMENT>] [--app <GITHUB_APP>]

PARAMETERS

--app <GITHUB_APP>
    Set deployment secret for a GitHub App ID or name

--body <VALUE>
    Provide secret value as inline argument (avoids prompt)

--env <ENVIRONMENT>
    Set secret for a specific environment in the repository

--org <ORGANIZATION>
    Set an organization-wide secret

--repo <REPOSITORY>
    Explicitly set secret for a specific repository (owner/repo format)

DESCRIPTION

The gh secret set command is part of the GitHub CLI (gh) toolset, designed to manage encrypted secrets used in GitHub Actions workflows. Secrets are securely stored on GitHub servers and can be referenced in workflows without exposing sensitive data like API keys, tokens, or credentials in repositories.

It prompts for the secret value interactively (using secure input to avoid terminal history logging) unless provided via --body or stdin. Secrets are scoped to repositories, organizations, environments, or GitHub Apps. Requires appropriate permissions: repo secrets need repo or workflow write access; org secrets need admin:org.

Use cases include automating CI/CD pipelines, deploying apps securely, or sharing credentials across workflows. Once set, secrets appear masked in gh secret list and are automatically available as environment variables in Actions jobs matching the scope.

Supports overwriting existing secrets. Values are base64-encoded internally for security.

CAVEATS

Requires GitHub CLI authentication via gh auth login. Secret values cannot be retrieved after setting (use gh secret view before overwriting). Interactive prompts fail in non-interactive shells without --body. Limited to 48KB per secret. No support for user-level secrets.

INPUT METHODS

Value read from stdin if no TTY and no --body; secure prompt otherwise. Pipe secrets via echo 'value' | gh secret set KEY.

PERMISSIONS

Needs repo:write or admin:org scopes. Check with gh auth status.

HISTORY

Introduced in GitHub CLI v0.5.0 (2020) alongside Actions support. Enhanced in v2.0+ with environment and App scopes. Actively maintained by GitHub for gh v2.40+ as of 2024.

SEE ALSO

gh secret list(1), gh secret remove(1), gh secret view(1), gh repo view(1)

Copied to clipboard