Introduction

Environment variables and secrets are essential components of GitHub Actions that enable developers to manage configurations and sensitive data securely. In this article, I will explore how to effectively manage environment variables and handle sensitive data with secrets in GitHub Actions.

Managing Environment Variables

Environment variables are a powerful way to configure your GitHub Actions workflows. They allow you to store and manage dynamic values that can be reused throughout your workflows, making your code cleaner and more efficient. In this chapter, I will dive into the details of defining, using, and managing environment variables in GitHub Actions.

Defining Environment Variables

Environment variables can be defined at various levels within your GitHub Actions workflows:

Workflow level

Define environment variables for the entire workflow by setting the env keyword at the root level of the YAML file. These variables will be available to all jobs and steps within the workflow.

env:
  API_BASE_URL: https://api.example.com
  NODE_ENV: production

jobs:
  build: ...

Job level

Define environment variables specific to a particular job by setting the env keyword within the job definition. These variables will be available to all steps within the job but not to other jobs.

jobs:
  build:
    env:
      API_BASE_URL: https://api.example.com
      NODE_ENV: production
    ...

Step level

Define environment variables for a single step by setting the env keyword within the step definition. These variables will only be available within the context of that step.

jobs:
  build:
    steps:
      - name: Run API tests
        env:
          API_BASE_URL: https://api.example.com
          NODE_ENV: test
        run: npm run test-api

Using Environment Variables in Workflow Steps

Once you have defined your environment variables, you can use them within your workflow steps by referencing them with the env context. To do this, use the syntax ${{ env.VARIABLE_NAME }}.

jobs:
  build:
    steps:
      - name: Install dependencies
        run: npm ci

      - name: Run tests
        env:
          API_BASE_URL: https://api.example.com
        run: API_URL=${{ env.API_BASE_URL }} npm test

Environment Variables in Matrix Strategy

The matrix strategy is a powerful feature in GitHub Actions that allows you to create multiple jobs with different configurations using a single workflow definition. You can use environment variables to parameterize your matrix jobs, making it easy to reuse the same workflow with various configurations.

jobs:
  build:
    strategy:
      matrix:
        node_version: [12, 14, 16]
        os: [ubuntu-latest, windows-latest, macos-latest]

    runs-on: $ {{ matrix.os }}
    env:
      NODE_VERSION: $ {{ matrix.node_version }}

    steps:
      - name: Set up Node.js
        uses: actions/setup-node@v2
        with:
          node-version: $ {{ env.NODE_VERSION }}

      - name: Install dependencies
        run: npm ci

      - name: Run tests
        run: npm test

Default Environment Variables in GitHub Actions

GitHub Actions provides a set of default environment variables that you can use in your workflows without having to define them yourself. These variables provide information about the repository, the runner context, and other useful data. Some commonly used default environment variables include:

• GITHUB_REPOSITORY: The owner and repository name. For example, octocat/Hello-World.
• GITHUB_SHA: The commit SHA that triggered the workflow run.
• GITHUB_REF: The branch or tag ref that triggered the workflow run.
• GITHUB_WORKSPACE: The GitHub workspace directory path.

To use these default environment variables, reference them with the env context, just like you would with custom environment variables:

jobs:
  build:
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Print repository information
        run: |
          echo "Repository: ${{ env.GITHUB_REPOSITORY }}"
          echo "Commit SHA: ${{ env.GITHUB_SHA }}"
          echo "Ref: ${{ env.GITHUB_REF }}"
          echo "Workspace directory: ${{ env.GITHUB_WORKSPACE }}"

Handling Sensitive Data with Secrets

In many cases, workflows require access to sensitive data such as API keys, credentials, and tokens. GitHub Actions provides a secure way to manage this data using secrets. Secrets are encrypted environment variables designed to store sensitive information securely. In this chapter, I will discuss how to create, manage, and use secrets in your GitHub Actions workflows.

Creating and Managing Secrets

Secrets can be created and managed at both the repository and organization levels. To create a new secret for your repository, follow these steps:

1. Navigate to the main page of your GitHub repository.
2. Click on the "Settings" tab.
3. In the left sidebar, click on "Secrets and variables" > "Actions."
4. Click on the "New repository secret" button.
5. Enter a name for the secret and its corresponding value, then click "Add secret."

To create a secret at the organization level, follow similar steps, but start by navigating to the organization settings page.

Accessing Secrets in Workflows

To access secrets within your GitHub Actions workflows, use the secrets context. The syntax is ${{ secrets.SECRET_NAME }}. Here's an example of using a secret to authenticate with an API:

jobs:
  deploy:
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Deploy to production
        env:
          API_KEY: ${{ secrets.PRODUCTION_API_KEY }}
        run: |
          curl -X POST -H "Authorization: Bearer ${{ env.API_KEY }}" https://api.example.com/deploy

Keep in mind that secrets are not exposed in logs and cannot be accessed in forked repositories. This is a security measure to protect your sensitive data.