Skip to content

Latest commit

 

History

History
58 lines (46 loc) · 999 Bytes

005.md

File metadata and controls

58 lines (46 loc) · 999 Bytes

workflow_secrets

Workflows should not set secrets to environment variables.

Examples

name: test
env:
  GITHUB_TOKEN: ${{github.token}} # The secret should not be set to workflow's environment variables 
  DATADOG_API_KEY: ${{secrets.DATADOG_API_KEY}} # The secret should not be set to workflow's environment variables 
jobs:
  foo:
    runs-on: ubuntu-latest
    permissions: {}
    steps:
      - run: echo foo
  bar:
    runs-on: ubuntu-latest
    permissions: {}
    steps:
      - run: echo bar

name: test
jobs:
  foo:
    runs-on: ubuntu-latest
    permissions: {}
    env:
      GITHUB_TOKEN: ${{github.token}}
    steps:
      - run: echo foo
  bar:
    runs-on: ubuntu-latest
    permissions: {}
    env:
      DATADOG_API_KEY: ${{secrets.DATADOG_API_KEY}}
    steps:
      - run: echo bar

How to fix

Set secrets to jobs or steps.

Why?

Secrets should be exposed to only necessary jobs or steps.

Exceptions

Workflow has only one job.