GitHub Actions Certification
Security Guide
Manage Organization level Encrypted Secrets
title: Manage Organization-level Encrypted Secrets in GitHub Actions description: Learn how to configure and scope secrets for GitHub Actions at environment, repository, and organization levels.
In this tutorial, you will configure GitHub Actions secrets at different scopes—environment, repository, and organization—to control access across your workflows. We’ll:
- Add repository-level secrets
- Define environment-level secrets
- Configure organization-level secrets
- Demonstrate secret resolution order
Prerequisites
You need admin access to the target repositories and organization, plus a local clone or VS Code setup.
Also see GitHub Actions Secrets documentation for more details.
Overview: Personal vs. Organization Repositories
Personal accounts support only repository- and environment-level secrets. Organization accounts add an extra organization-level scope.
Switch to an organization repository to access the full spectrum of secret scopes.
Navigate to Settings > Secrets and variables under Code and automation to view all scopes.
Click Organization secrets to manage secrets across your entire organization.
1. Configure Repository-Level Secrets
Create a workflow file at .github/workflows/secret-demo.yaml
:
name: Secret Scope Demo
on:
push:
workflow_dispatch:
jobs:
print_repo_secrets:
runs-on: ubuntu-latest
steps:
- name: Read Repository Masked Secret
run: echo ${{ secrets.DEV_API_KEY }}
- name: Read Repository Secret Unmasked
run: echo ${{ secrets.DEV_API_KEY }} | sed 's/./&/g'
Add the repository secret in Settings > Secrets and variables > Actions > New repository secret:
- Name:
DEV_API_KEY
- Value:
REPOSITORY-level-DEV-api-key
Push your changes, then open the Actions tab:
Observe the queued workflow:
Once complete, check that the secret is masked in the first step and fully printed in the second:
2. Configure Environment-Level Secrets
Create a new environment called production
under Settings > Environments:
Add an environment secret:
- Name:
PROD_API_KEY
- Value:
ENVIRONMENT-level-PROD-api-key
※ For comparison, also add PROD_API_KEY
at the repository level:
Update your workflow to read both repository and environment secrets:
name: Secret Scope Demo
on:
push:
workflow_dispatch:
jobs:
print_repo_secrets:
runs-on: ubuntu-latest
steps:
- name: Read DEV_API_KEY
run: echo ${{ secrets.DEV_API_KEY }} | sed 's/./&/g'
- name: Read PROD_API_KEY (Repo)
run: echo ${{ secrets.PROD_API_KEY }} | sed 's/./&/g'
print_environment_secrets:
environment: production
runs-on: ubuntu-latest
steps:
- name: Read DEV_API_KEY
run: echo ${{ secrets.DEV_API_KEY }} | sed 's/./&/g'
- name: Read PROD_API_KEY (Env)
run: echo ${{ secrets.PROD_API_KEY }} | sed 's/./&/g'
Push and view both jobs in Actions:
The environment job uses the environment-level PROD_API_KEY
:
3. Configure Organization-Level Secrets
Go to Organization Settings > Secrets and variables > Actions and click New organization secret. Create:
BROAD_API_KEY
– scoped to secret-management repo.AWS_SECRET_ACCESS_KEY
– scoped to all public repositories.PLATFORM_PASSWORD
– scoped to the .github repository only.
When selecting repositories for BROAD_API_KEY, choose only secret-management:
After creation, verify the list and access settings:
Back in secret-management settings, organization secrets appear below repository and environment scopes. Remember that a repository secret overrides an organization secret with the same name:
3.1 Print Organization-Level Secrets
Extend your workflow with:
print_organization_secrets:
runs-on: ubuntu-latest
steps:
- name: Read BROAD_API_KEY (Repo Override)
run: echo ${{ secrets.BROAD_API_KEY }} | sed 's/./&/g'
- name: Read AWS_SECRET_ACCESS_KEY
run: echo ${{ secrets.AWS_SECRET_ACCESS_KEY }} | sed 's/./&/g'
- name: Read PLATFORM_PASSWORD
run: echo ${{ secrets.PLATFORM_PASSWORD }} | sed 's/./&/g'
Push and check the print_organization_secrets job:
BROAD_API_KEY
displays the repository-level value.AWS_SECRET_ACCESS_KEY
displays the organization-level secret.PLATFORM_PASSWORD
is empty (restricted to.github
repo).
R E P O S I T O R Y - l e v e l - D E V - a p i - k e - y
O R G A N I Z A T I O N - l e v e l - A W S _ S E C R E T _ A C C E S S _ K E Y
Best Practices and Secret Resolution
Scope | Precedence | Use Case |
---|---|---|
Environment-level | 1 (Highest) | Secure keys for specific deployment tiers |
Repository-level | 2 | Repo-specific secrets and tokens |
Organization-level | 3 (Lowest) | Shared secrets across multiple repos |
Warning
Avoid storing sensitive data in logs. Always mask secrets and restrict access to minimal required repositories.
By correctly scoping and managing secrets, you gain fine-grained security control for your GitHub Actions workflows.
Watch Video
Watch video content