Workflows should not set secrets to environment variables.
❌
name: test
env:
GITHUB_TOKEN: ${{github.token}} # The secret should not be set to workflow's environment variables
DATADOG_API_KEY: ${{secrets.DATADOG_API_KEY}} # The secret should not be set to workflow's environment variables
jobs:
foo:
runs-on: ubuntu-latest
permissions: {}
steps:
- run: echo foo
bar:
runs-on: ubuntu-latest
permissions: {}
steps:
- run: echo bar
⭕
name: test
jobs:
foo:
runs-on: ubuntu-latest
permissions: {}
env:
GITHUB_TOKEN: ${{github.token}}
steps:
- run: echo foo
bar:
runs-on: ubuntu-latest
permissions: {}
env:
DATADOG_API_KEY: ${{secrets.DATADOG_API_KEY}}
steps:
- run: echo bar
Set secrets to jobs or steps.
Secrets should be exposed to only necessary jobs or steps.
Workflow has only one job.