Script Valley
CI/CD with GitHub Actions
Building a CI PipelineLesson 2.3

How to use environment variables and secrets in GitHub Actions

env block, secrets context, GitHub Secrets UI, GITHUB_TOKEN, secret masking, environment-level secrets, env vs secrets

Environment Variables

Environment variable scope levels

Environment variables in GitHub Actions can be set at the workflow, job, or step level. Lower levels override higher levels for that scope.

env:
  NODE_ENV: test          # workflow-level, available everywhere

jobs:
  test:
    runs-on: ubuntu-latest
    env:
      LOG_LEVEL: debug    # job-level
    steps:
      - run: echo $NODE_ENV
        env:
          API_URL: http://localhost:3000   # step-level

Secrets

Never hardcode API keys or passwords in workflow files. Store sensitive values in GitHub Secrets (Settings → Secrets and variables → Actions) and reference them via the secrets context:

- name: Deploy
  run: ./deploy.sh
  env:
    DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
    DATABASE_URL: ${{ secrets.DATABASE_URL }}

GitHub automatically masks secret values in logs — if a secret is accidentally printed, it appears as ***. GITHUB_TOKEN is a special secret automatically created for every workflow run with permissions scoped to the repository. Use it to authenticate with the GitHub API without creating a personal access token.

Up next

How to run jobs in parallel and in sequence using needs

Sign in to track progress