Secret

Source: src/GitHub/Secret.ts

A GitHub Actions repository or environment secret.

Secret manages the lifecycle of an encrypted secret in GitHub Actions. Secrets are encrypted using the repository’s (or environment’s) public key via libsodium before being stored. The resource is idempotent — calling it with the same name will update the secret value in place.

Authentication is resolved in order: explicit token prop, GITHUB_ACCESS_TOKEN env var, GITHUB_TOKEN env var. The token needs repo scope for private repositories or public_repo for public ones.

Repository Secrets

Store secrets accessible to all GitHub Actions workflows in the repository.

yield* GitHub.Secret("aws-role", {
  owner: "my-org",
  repository: "my-repo",
  name: "AWS_ROLE_ARN",
  value: Redacted.make(role.roleArn),
});

Environment Secrets

Scope a secret to a specific GitHub Actions environment (e.g. production, staging). Environment secrets require environment protection rules to be satisfied before workflows can access them.

yield* GitHub.Secret("deploy-key", {
  owner: "my-org",
  repository: "my-repo",
  environment: "production",
  name: "DEPLOY_KEY",
  value: Redacted.make("my-secret-value"),
});

Wiring with Other Resources

A common pattern is wiring the output of another resource — like an IAM role ARN or a database URL — directly into a GitHub secret so that CI workflows can use it.

Store an IAM Role ARN for CI

const role = yield* AWS.IAM.Role("ci-role", { ... });

yield* GitHub.Secret("ci-role-arn", {
  owner: "my-org",
  repository: "my-repo",
  name: "AWS_ROLE_ARN",
  value: Redacted.make(role.roleArn),
});

Store Multiple Secrets

yield* GitHub.Secret("db-url", {
  owner: "my-org",
  repository: "my-repo",
  environment: "production",
  name: "DATABASE_URL",
  value: Redacted.make(database.connectionString),
});

yield* GitHub.Secret("api-key", {
  owner: "my-org",
  repository: "my-repo",
  environment: "production",
  name: "API_KEY",
  value: Redacted.make(apiKey),
});