The official boilerplate code injects the npm token as follows
NODE_AUTH_TOKEN: ${{secrets.npm_token}}
How do I access and set this variable? I cant find it in the GUI.
To help prevent accidental secret disclosure, GitHub Actions automatically redact secrets printed to the log, but this is not a true security boundary because secrets can be intentionally sent to the log.
To set a custom environment variable, you must define it in the workflow file. The scope of a custom environment variable is limited to the element in which it is defined. You can define environment variables that are scoped for: The entire workflow, by using env at the top level of the workflow file.
To add GitHub Actions secrets for a repository, got to its Settings page, then select the Secrets tab, then click on the Add a new secret text button.
On GitHub, navigate to the main page of the repository. Under your repository name, click Settings. In the left sidebar, click Secrets. Type a name for your secret in the "Name" input box. Type the value for your secret. Click Add secret.
Secret tokens and GitHub Actions From the Settings tab of any repository, there’s an option to add a GitHub Actions secret. Simply provide a name for the secret and a corresponding value and click the green Add secret button.
Encrypted secrets allow you to store sensitive information in your organization, repository, or repository environments. Secrets are encrypted environment variables that you create in an organization, repository, or repository environment. The secrets that you create are available to use in GitHub Actions workflows.
Settings
tabSecrets
section in the left hand menuAdd a new secret
and provide a name (e.g. npm_token
) and a value.In addition to the GUI, you now (January 2020) have a GitHub Actions API(!, still beta though), as announced here.
And it does include a GitHub Actions Secrets API:
Create or update an repository secret:
Creates or updates an organization secret with an encrypted value. Encrypt your secret using LibSodium.
You must authenticate using an access token with the
admin:repo
scope to use this endpoint.
GitHub Apps must have thesecrets
organization permission to use this endpoint.PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}
Get a repository secret
Gets a single secret without revealing its encrypted value.
Anyone with write access to the repository can use this endpoint.
GitHub Apps must have the secrets permission to use this endpoint.GET /repos/:owner/:repo/actions/secrets/:name
So the GUI is no longer the sole option: you can script and get/set an Actions secret through this new API.
This page is hard to find, but it exists in the official docs here: Creating and using secrets (encrypted variables).
Copied from the docs below for convenience:
Secret names cannot include any spaces. To ensure that GitHub redacts your secret in logs, avoid using structured data as the values of secrets, like JSON or encoded Git blobs.
- On GitHub, navigate to the main page of the repository.
- Under your repository name, click Settings.
- In the left sidebar, click Secrets.
- Type a name for your secret in the "Name" input box.
- Type the value for your secret.
- Click Add secret.
The link above has a bit more info around using secrets as well.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With