Skip to main content

GitHub Actions Secrets

GitHub Actions secrets are write-only and should be treated as deployment bootstrap state, not the primary secret inventory.

Appropriate Uses

  • CI/CD credentials.
  • Deployment SSH or runner bootstrap values.
  • Values required before Infisical can be reached.
  • Temporary migration support during rotation.

Rules

  • Do not overwrite a secret unless the replacement value is verified.
  • Mirror long-lived application secrets into Infisical where possible.
  • Record secret names, consumers, and rotation owner without recording values.
  • Remove legacy secrets only after successful deploy and rollback validation.

Related pages: Environment Variables and Rotation Checklist.