workflow_secrets

Workflows should not set secrets to environment variables.

Examples

❌

name: test
env:
  GITHUB_TOKEN: ${{github.token}} # The secret should not be set to workflow's environment variables 
  DATADOG_API_KEY: ${{secrets.DATADOG_API_KEY}} # The secret should not be set to workflow's environment variables 
jobs:
  foo:
    runs-on: ubuntu-latest
    permissions: {}
    steps:
      - run: echo foo
  bar:
    runs-on: ubuntu-latest
    permissions: {}
    steps:
      - run: echo bar

⭕

name: test
jobs:
  foo:
    runs-on: ubuntu-latest
    permissions: {}
    env:
      GITHUB_TOKEN: ${{github.token}}
    steps:
      - run: echo foo
  bar:
    runs-on: ubuntu-latest
    permissions: {}
    env:
      DATADOG_API_KEY: ${{secrets.DATADOG_API_KEY}}
    steps:
      - run: echo bar

How to fix

Set secrets to jobs or steps.

Why?

Secrets should be exposed to only necessary jobs or steps.

Exceptions

Workflow has only one job.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

005.md

005.md

workflow_secrets

Examples

How to fix

Why?

Exceptions

Files

005.md

Latest commit

History

005.md

File metadata and controls

workflow_secrets

Examples

How to fix

Why?

Exceptions