| name | example | route | scope | type |
|---|---|---|---|---|
Create or update an environment secret |
octokit.rest.actions.createOrUpdateEnvironmentSecret({ repository_id, environment_name, secret_name, encrypted_value, key_id }) |
PUT /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name} |
actions |
API method |
Creates or updates an environment secret with an encrypted value. Encrypt your secret using
LibSodium. You must authenticate using an access
token with the repo scope to use this endpoint. GitHub Apps must have the secrets repository permission to use
this endpoint.
Encrypt your secret using the tweetsodium library.
const sodium = require('tweetsodium');
const key = "base64-encoded-public-key";
const value = "plain-text-secret";
// Convert the message and key to Uint8Array's (Buffer implements that interface)
const messageBytes = Buffer.from(value);
const keyBytes = Buffer.from(key, 'base64');
// Encrypt using LibSodium.
const encryptedBytes = sodium.seal(messageBytes, keyBytes);
// Base64 the encrypted secret
const encrypted = Buffer.from(encryptedBytes).toString('base64');
console.log(encrypted);
Encrypt your secret using pynacl with Python 3.
from base64 import b64encode
from nacl import encoding, public
def encrypt(public_key: str, secret_value: str) -> str:
"""Encrypt a Unicode string using the public key."""
public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder())
sealed_box = public.SealedBox(public_key)
encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
return b64encode(encrypted).decode("utf-8")
Encrypt your secret using the Sodium.Core package.
var secretValue = System.Text.Encoding.UTF8.GetBytes("mySecret");
var publicKey = Convert.FromBase64String("2Sg8iYjAxxmI2LvUXpJjkYrMxURPc8r+dB7TJyvvcCU=");
var sealedPublicKeyBox = Sodium.SealedPublicKeyBox.Create(secretValue, publicKey);
Console.WriteLine(Convert.ToBase64String(sealedPublicKeyBox));
Encrypt your secret using the rbnacl gem.
require "rbnacl"
require "base64"
key = Base64.decode64("+ZYvJDZMHUfBkJdyq5Zm9SKqeuBQ4sj+6sfjlH4CgG0=")
public_key = RbNaCl::PublicKey.new(key)
box = RbNaCl::Boxes::Sealed.from_public_key(public_key)
encrypted_secret = box.encrypt("my_secret")
# Print the base64 encoded secret
puts Base64.strict_encode64(encrypted_secret)octokit.rest.actions.createOrUpdateEnvironmentSecret({
repository_id,
environment_name,
secret_name,
encrypted_value,
key_id,
});| name | required | description |
|---|---|---|
| repository_id | yes |
The unique identifier of the repository. |
| environment_name | yes |
The name of the environment. |
| secret_name | yes |
The name of the secret. |
| encrypted_value | yes |
Value for your secret, encrypted with LibSodium using the public key retrieved from the Get an environment public key endpoint. |
| key_id | yes |
ID of the key you used to encrypt the secret. |
See also: GitHub Developer Guide documentation.