GitHub Actions icon

Secret Management
For GitHub Actions

No more copy-pasting sensitive values into a GUI. Securely load secrets into GitHub Actions and sync them automatically.

Your CI/CD Pipeline Deserves Good Secret Management

Every platform that needs secrets introduces "Yet Another Secret Store" that needs to be kept in sync. Nobody likes jobs failing due to missing or outdated secrets. There has to be a better way.

The Solution

Replace secret environment variables with reference tags

Gather all secrets from your GitHub Actions environment variables and use the SecretHub CLI to safely store them in a centralized location.


Simply add secrethub:// reference tags to your .github/actions/<workflow>.yml file to automatically load secrets at runtime:

SecretHub providing secrets to GitHub Actions and other tools like Kubernetes, Docker, and AWS

A single source of truth for your secrets

With your secrets centralized you know that when a value is updated, GitHub Actions and all other tools will have it on the next run.

  • No more manually syncing the GitHub Actions Environment Variables GUI
  • No more evaluations of each tool's own secret store
Happy developer

Develop and maintain pipelines without breaking them

Secrets shouldn't get in the way when you're developing pipelines. Leverage the powerful reference syntax for cleaner, more predictable, and reproducible GitHub Actions pipelines:

Pin secret versions
  • secrethub://company/app/docker/password:latest
  • secrethub://company/app/docker/password:2
Switch secrets between environments
  • secrethub://company/app/prod/aws/secret_access_key
  • secrethub://company/app/staging/aws/secret_access_key
Run workflows locally too

The missing piece to achieving dev/prod parity when running GitHub Actions workflows locally as loading secrets now works in the same way no matter where you're running.

GitHub Actions log UI with AWS_SECRET_ACCESS_KEY value masked

Prevent accidents and leaks

Mistakes are easily made. Keep your peace of mind and ensure your GitHub Actions logs won't give away the keys to the kingdom.

  • All secret values are automatically masked from log output
  • Secrets are end-to-end encrypted and plaintext values only exist in memory during the lifetime of a job
  • No more insecure and wonky workarounds for the 100-secrets and 64-KB limits
Audit log of a GitHub Actions job loading a Docker password

Control & monitor when GitHub Actions reads secrets

Every time your GitHub Actions job starts, secret reads gets recorded on the audit log. Restrict access to only the secrets it needs and know that you can revoke access with a single command.

Be up and running in no time

Follow the step-by-step guide and you'll be loading secrets into GitHub Actions today.

Unify secret management
across all software delivery phases

You don't have to reinvent the wheel for every platform that needs to consume secrets. Use a single tool to keep secrets safe and in sync across your entire stack.