About secrets
Secrets allow you to store sensitive information in your organization, repository, or repository environments. Secrets are variables that you create to use in GitHub Actions workflows in an organization, repository, or repository environment.
GitHub Actions can only read a secret if you explicitly include the secret in a workflow.
Organization-level secrets
조직 수준 비밀을 사용하면 여러 리포지토리 간에 비밀을 공유할 수 있으므로 중복 비밀을 만들 필요가 줄어듭니다. 또한 한 위치에서 조직 비밀을 업데이트하면 해당 비밀을 사용하는 모든 리포지토리 워크플로에서 변경 내용이 적용됩니다.
When creating a secret for an organization, you can use a policy to limit access by repository. For example, you can grant access to all repositories, or limit access to only private repositories or a specified list of repositories.
For environment secrets, you can enable required reviewers to control access to the secrets. A workflow job cannot access environment secrets until approval is granted by required approvers.
To make a secret available to an action, you must set the secret as an input or environment variable in your workflow file. Review the action's README file to learn about which inputs and environment variables the action expects. See GitHub Actions에 대한 워크플로 구문.
Limiting credential permissions
When generating credentials, we recommend that you grant the minimum permissions possible. For example, instead of using personal credentials, use deploy keys or a service account. Consider granting read-only permissions if that's all that is needed, and limit access as much as possible.
When generating a personal access token (classic), select the fewest scopes necessary. When generating a fine-grained personal access token, select the minimum permissions and repository access required.
Instead of using a personal access token, consider using a GitHub App, which uses fine-grained permissions and short lived tokens, similar to a fine-grained personal access token. Unlike a personal access token, a GitHub App is not tied to a user, so the workflow will continue to work even if the user who installed the app leaves your organization. For more information, see GitHub Actions 워크플로에서 GitHub 앱을 사용하여 인증된 API 요청 만들기.
Automatically redacted secrets
GitHub Actions automatically redacts the contents of all GitHub secrets that are printed to workflow logs.
GitHub Actions also redacts information that is recognized as sensitive, but is not stored as a secret. For a list of automatically redacted secrets, see Secrets reference.
참고 항목
If you would like other types of sensitive information to be automatically redacted, please reach out to us in our community discussions.
As a habit of best practice, you should mask all sensitive information that is not a GitHub secret by using ::add-mask::VALUE. This causes the value to be treated as a secret and redacted from logs. For more information about masking data, see GitHub Actions에 대한 워크플로 명령.
Redacting of secrets is performed by your workflow runners. This means a secret will only be redacted if it was used within a job and is accessible by the runner. If an unredacted secret is sent to a workflow run log, you should delete the log and rotate the secret. For information on deleting logs, see 워크플로 실행 로그 사용.