type: service
status: active
timestamp: 2026-06-20
tags: [secrets, github, ci, primary]

GitHub Secrets

Runtime secret store for GH Actions — written by Doppler, free unlimited

GitHub Secrets

Role

Runtime secret store for everything that runs inside GitHub Actions — npm publish, wrangler deploy, gh release, the omnipost cron, every CI workflow. Doppler writes; Actions reads. GitHub Secrets is the runtime mirror, never the source of truth.

Free tier

Card / subscription required?

NO. Included with free GitHub.

Scoping rules

The family always picks the narrowest scope that lets the workflow run:

ScopeWhen to useExample
Environment (per-repo, per-env)Production deploy keys; secrets a workflow only needs in prodCLOUDFLARE_API_TOKEN in oriz repo’s prod environment
RepoSecrets used across multiple workflows in one repo, all environmentsOMNIPOST_DEVTO_TOKEN in the oriz-omnipost repo
OrganizationSecrets shared by 3+ reposNPM_TOKEN for @chirag127/ package publishes; DOPPLER_SERVICE_TOKEN

Org-level secrets carry an explicit allow-list of repos. Never use “all repositories” — it leaks the secret to forks and to repos that don’t need it.

Alternatives

Swap cost

Low — secret values are short strings written via gh secret set or the Doppler integration. Swap to another CI runtime would mean moving the same values into the new runtime’s secret store.

Why this is our pick (as runtime mirror)

It’s already there — every Action reads from it natively, no plumbing. Pairing it with Doppler-as-source-of-truth gets us:

Implementation notes

Cross-refs


Edit on GitHub · Back to index