Secrets
- Get your public key
- List secrets for a repository
- Get a secret
- Create or update a secret for a repository
- Delete a secret from a repository
Encrypted secrets allow you to store sensitive information, such as access tokens, in your repository. For more information, see "Creating and using encrypted secrets" in the GitHub Help documentation.
This API is available for authenticated users, OAuth Apps, and GitHub Apps. Access tokens require repo scope for private repos and public_repo scope for public repos. GitHub Apps must have the secrets permission to use this API. Authenticated users must have collaborator access to a repository to create, update, or read secrets.
GitHub Actions is available with GitHub Free, GitHub Pro, GitHub Free for organizations, GitHub Team, GitHub Enterprise Cloud, and GitHub One. GitHub Actions is not available for private repositories owned by accounts using legacy per-repository plans. For more information, see GitHub's products in the GitHub Help documentation.
Get your public key
Gets your public key, which you must store. You need your public key to use other secrets endpoints. Use the returned key to encrypt your secrets. Anyone with read access to the repository can use this endpoint. GitHub Apps must have the secrets permission to use this endpoint.
GET /repos/:owner/:repo/actions/secrets/public-key
Response
Status: 200 OK
{
"key_id": "1234",
"key": "2Sg8iYjAxxmI2LvUXpJjkYrMxURPc8r+dB7TJyvv1234"
}
List secrets for a repository
Lists all secrets available in a repository without revealing their encrypted values. Anyone with write access to the repository can use this endpoint. GitHub Apps must have the secrets permission to use this endpoint.
GET /repos/:owner/:repo/actions/secrets
Response
Status: 200 OK
Link: <https://api.github.com/resource?page=2>; rel="next",
<https://api.github.com/resource?page=5>; rel="last"
{
"total_count": 2,
"secrets": [
{
"name": "GH_TOKEN",
"created_at": "2019-08-10T14:59:22Z",
"updated_at": "2020-01-10T14:59:22Z"
},
{
"name": "GIST_ID",
"created_at": "2020-01-10T10:59:22Z",
"updated_at": "2020-01-11T11:59:22Z"
}
]
}
Get a secret
Gets a single secret without revealing its encrypted value. Anyone with write access to the repository can use this endpoint. GitHub Apps must have the secrets permission to use this endpoint.
GET /repos/:owner/:repo/actions/secrets/:name
Response
Status: 200 OK
{
"name": "GH_TOKEN",
"created_at": "2019-08-10T14:59:22Z",
"updated_at": "2020-01-10T14:59:22Z"
}
Create or update a secret for a repository
Creates or updates a secret with an encrypted value. Encrypt your secret using LibSodium. Anyone with write access to the repository can use this endpoint. GitHub Apps must have the secrets permission to use this endpoint.
PUT /repos/:owner/:repo/actions/secrets/:name
Parameters
| Name | Type | Description |
|---|---|---|
encrypted_value |
string |
Value for your secret, encrypted with LibSodium using the public key retrieved from the Get your public key endpoint. |
key_id |
string |
ID of the key you used to encrypt the secret. |
Example encrypting a secret using Node.js
Encrypt your secret using the tweetsodium library.
const sodium = require('tweetsodium');
const key = "base64-encoded-public-key";
const value = "plain-text-secret";
// Convert the message and key to Uint8Array's (Buffer implements that interface)
const messageBytes = Buffer.from(value);
const keyBytes = Buffer.from(key, 'base64');
// Encrypt using LibSodium.
const encryptedBytes = sodium.seal(messageBytes, keyBytes);
// Base64 the encrypted secret
const encrypted = Buffer.from(encryptedBytes).toString('base64');
console.log(encrypted);
Example encrypting a secret using Python
Encrypt your secret using pynacl with Python 3.
from base64 import b64encode
from nacl import encoding, public
def encrypt(public_key: str, secret_value: str) -> str:
"""Encrypt a Unicode string using the public key."""
public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder())
sealed_box = public.SealedBox(public_key)
encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
return b64encode(encrypted).decode("utf-8")
Example encrypting a secret using C#
Encrypt your secret using the Sodium.Core package.
var secretValue = System.Text.Encoding.UTF8.GetBytes("mySecret");
var publicKey = Convert.FromBase64String("2Sg8iYjAxxmI2LvUXpJjkYrMxURPc8r+dB7TJyvvcCU=");
var sealedPublicKeyBox = Sodium.SealedPublicKeyBox.Create(secretValue, publicKey);
Console.WriteLine(Convert.ToBase64String(sealedPublicKeyBox));
Example encrypting a secret using Ruby
Encrypt your secret using the rbnacl gem.
require "rbnacl"
require "base64"
key = Base64.decode64("+ZYvJDZMHUfBkJdyq5Zm9SKqeuBQ4sj+6sfjlH4CgG0=")
public_key = RbNaCl::PublicKey.new(key)
box = RbNaCl::Boxes::Sealed.from_public_key(public_key)
encrypted_secret = box.encrypt("my_secret")
# Print the base64 encoded secret
puts Base64.strict_encode64(encrypted_secret)
Response when creating a secret
Status: 201 Created
Response when updating a secret
Status: 204 No Content
Delete a secret from a repository
Deletes a secret in a repository using the secret name. Anyone with write access to the repository can use this endpoint. GitHub Apps must have the secrets permission to use this endpoint.
DELETE /repos/:owner/:repo/actions/secrets/:name
Response
Status: 204 No Content