Security is not optional — especially when your entire pipeline lives in GitHub. This post is a comprehensive guide to managing sensitive data such as API keys, access tokens, and cloud credentials using GitHub’s built-in capabilities. Whether you’re deploying to Azure, AWS, or something else entirely, it’s critical to ensure credentials are handled correctly.
🔐 Why Secrets Matter in DevOps
Secrets in CI/CD pipelines are the keys to your kingdom. They unlock databases, connect to cloud platforms, and authenticate with external APIs. If a token leaks — even temporarily — it can be exploited before you’ve had a chance to revoke it.
🛠️ Setting Up GitHub Secrets
- Repository Secrets – Scoped to one repo
- Organization Secrets – Shared across multiple repos
- Environment Secrets – Tied to GitHub environments
🧪 Step-by-Step: Adding a Secret
- Go to your repository.
- Click on Settings > Secrets and Variables > Actions.
- Click New repository secret.
- Name it
AZURE_CREDENTIALSand paste your secret value.
env:
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
🌐 Environment-Specific Secrets
jobs:
deploy:
environment: production
steps:
- name: Use production credentials
run: echo "Deploying with ${{ secrets.PROD_DB_PASSWORD }}"
⚠️ Do’s and Don’ts
| ✅ Do This | ❌ Don’t Do This |
|---|---|
| Use environment secrets | Hardcode credentials in code |
| Rotate secrets regularly | Reuse secrets across environments |
| Mask secrets in logs | Echo secrets to logs |
🔐 Masking Secrets in Logs
echo "::add-mask::$MY_SECRET"🛡️ GitHub + External Vaults
- name: Login to Azure
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Get secrets from Key Vault
uses: azure/get-keyvault-secrets@v1
with:
keyvault: 'my-keyvault'
secrets: 'sql-password,storage-key'
✅ Summary
- Use GitHub Secrets or Environments — not
.envfiles - Rotate credentials regularly
- Use minimal privilege principles
- Enable environment protection rules
- Use
add-maskfor anything logged manually