← knowledge.oriz.in

GitHub Secrets

service secretsgithubciprimary

GitHub Secrets

Role

Runtime secret store for everything that runs inside GitHub Actions — npm publish, wrangler deploy, gh release, the omnipost cron, every CI workflow. Doppler writes; Actions reads. GitHub Secrets is the runtime mirror, never the source of truth.

Free tier

Card / subscription required?

NO. Included with free GitHub.

Scoping rules

The family always picks the narrowest scope that lets the workflow run:

Scope When to use Example
Environment (per-repo, per-env) Production deploy keys; secrets a workflow only needs in prod CLOUDFLARE_API_TOKEN in oriz repo's prod environment
Repo Secrets used across multiple workflows in one repo, all environments OMNIPOST_DEVTO_TOKEN in the oriz-omnipost repo
Organization Secrets shared by 3+ repos NPM_TOKEN for @chirag127/ package publishes; DOPPLER_SERVICE_TOKEN

Org-level secrets carry an explicit allow-list of repos. Never use "all repositories" — it leaks the secret to forks and to repos that don't need it.

Alternatives

Swap cost

Low — secret values are short strings written via gh secret set or the Doppler integration. Swap to another CI runtime would mean moving the same values into the new runtime's secret store.

Why this is our pick (as runtime mirror)

It's already there — every Action reads from it natively, no plumbing. Pairing it with Doppler-as-source-of-truth gets us:

Implementation notes

Cross-refs