| name | example | route | scope | type |
|---|---|---|---|---|
Create or update an environment secret |
octokit.rest.actions.createOrUpdateEnvironmentSecret({ repository_id, environment_name, secret_name, encrypted_value, key_id }) |
PUT /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name} |
actions |
API method |
Creates or updates an environment secret with an encrypted value. Encrypt your secret using
LibSodium. You must authenticate using an access
token with the repo scope to use this endpoint. GitHub Apps must have the secrets repository permission to use
this endpoint.
Encrypt your secret using the libsodium-wrappers library.
const sodium = require('libsodium-wrappers')
const secret = 'plain-text-secret' // replace with the secret you want to encrypt
const key = 'base64-encoded-public-key' // replace with the Base64 encoded public key
//Check if libsodium is ready and then proceed.
sodium.ready.then(() => {
// Convert Secret & Base64 key to Uint8Array.
let binkey = sodium.from_base64(key, sodium.base64_variants.ORIGINAL)
let binsec = sodium.from_string(secret)
//Encrypt the secret using LibSodium
let encBytes = sodium.crypto_box_seal(binsec, binkey)
// Convert encrypted Uint8Array to Base64
let output = sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL)
console.log(output)
});
Encrypt your secret using pynacl with Python 3.
from base64 import b64encode
from nacl import encoding, public
def encrypt(public_key: str, secret_value: str) -> str:
"""Encrypt a Unicode string using the public key."""
public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder())
sealed_box = public.SealedBox(public_key)
encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
return b64encode(encrypted).decode("utf-8")
Encrypt your secret using the Sodium.Core package.
var secretValue = System.Text.Encoding.UTF8.GetBytes("mySecret");
var publicKey = Convert.FromBase64String("2Sg8iYjAxxmI2LvUXpJjkYrMxURPc8r+dB7TJyvvcCU=");
var sealedPublicKeyBox = Sodium.SealedPublicKeyBox.Create(secretValue, publicKey);
Console.WriteLine(Convert.ToBase64String(sealedPublicKeyBox));
Encrypt your secret using the rbnacl gem.
require "rbnacl"
require "base64"
key = Base64.decode64("+ZYvJDZMHUfBkJdyq5Zm9SKqeuBQ4sj+6sfjlH4CgG0=")
public_key = RbNaCl::PublicKey.new(key)
box = RbNaCl::Boxes::Sealed.from_public_key(public_key)
encrypted_secret = box.encrypt("my_secret")
# Print the base64 encoded secret
puts Base64.strict_encode64(encrypted_secret)octokit.rest.actions.createOrUpdateEnvironmentSecret({
repository_id,
environment_name,
secret_name,
encrypted_value,
key_id,
});| name | required | description |
|---|---|---|
| repository_id | yes |
The unique identifier of the repository. |
| environment_name | yes |
The name of the environment. |
| secret_name | yes |
The name of the secret. |
| encrypted_value | yes |
Value for your secret, encrypted with LibSodium using the public key retrieved from the Get an environment public key endpoint. |
| key_id | yes |
ID of the key you used to encrypt the secret. |
See also: GitHub Developer Guide documentation.