Listen to this Post
GitHub Actions is a powerful automation tool that enables developers to create CI/CD pipelines and automate various workflows. To maintain clean, reusable, and secure automation scripts, leveraging environment variables and secrets is essential. This article explores best practices for managing them effectively.
You Should Know:
1. Setting Environment Variables
Environment variables help avoid hardcoding values, making workflows adaptable across different environments.
Example Workflow:
name: CI Pipeline on: [bash] env: DEPLOY_ENV: production AWS_REGION: us-east-1 jobs: build: runs-on: ubuntu-latest steps: - name: Print Env Variables run: | echo "Deployment Environment: $DEPLOY_ENV" echo "AWS Region: $AWS_REGION"
2. Using GitHub Secrets
Secrets store sensitive data like API keys and passwords securely.
Adding Secrets in GitHub:
- Go to Repository Settings → Secrets and variables → Actions.
2. Click New repository secret.
3. Enter the Name and Value, then save.
Using Secrets in Workflows:
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Authenticate with AWS
run: aws configure --profile prod --key ${{ secrets.AWS_ACCESS_KEY }} --secret ${{ secrets.AWS_SECRET_KEY }}
3. Managing Environment-Specific Variables
Use different variable sets per environment (dev, staging, prod).
Example Multi-Stage Workflow:
jobs:
deploy:
strategy:
matrix:
env: [dev, staging, prod]
runs-on: ubuntu-latest
steps:
- name: Deploy to Environment
run: ./deploy.sh --env ${{ matrix.env }}
env:
API_KEY: ${{ secrets[format('API_KEY_{0}', matrix.env)] }}
4. Encrypted Secrets for Security
GitHub encrypts secrets at rest and masks them in logs.
Best Practices:
- Never hardcode secrets in workflows.
- Restrict secret access using `pull-request` triggers.
- Rotate secrets periodically.
5. Dynamic Variables with Outputs
Pass data between jobs using `outputs`.
Example:
jobs:
job1:
runs-on: ubuntu-latest
outputs:
build_id: ${{ steps.build.outputs.id }}
steps:
- id: build
run: echo "id=123" >> $GITHUB_OUTPUT
job2:
needs: job1
runs-on: ubuntu-latest
steps:
- run: echo "Build ID: ${{ needs.job1.outputs.build_id }}"
What Undercode Say
GitHub Actions simplifies automation but requires disciplined management of variables and secrets. By using env, secrets, and dynamic outputs, workflows become scalable and secure.
Additional Linux & Windows Commands for Automation:
- Linux:
Set temporary environment variable export TEMP_KEY="value" Check environment variables printenv Secure delete a file (shred) shred -u confidential.txt
-
Windows (PowerShell):
Set environment variable $env:API_KEY = "12345" List all environment variables Get-ChildItem Env: Encrypt a file cipher /e secretfile.txt
Expected Output:
A well-structured, secure, and maintainable GitHub Actions workflow that dynamically adapts across environments while keeping sensitive data protected.
Reference: Mastering GitHub Actions: Environment Variables and Secrets Management
References:
Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
