Secrets and Variables
How to register and manage secrets and variables at the workspace and repository level
Secrets and Variables are features for securely managing sensitive credentials and configuration values in CI/CD pipelines.
Difference Between Secrets and Variables
| Type | Secrets | Variables |
|---|---|---|
| Purpose | Sensitive credentials | Non-secret configuration values |
| Examples | API keys, tokens, passwords, SSH keys | Region, URL, deployment environment, build paths |
| Log exposure | Masked (***) | Shown as-is |
| Workflow reference | $\{\{ secrets.KEY \}\} | $\{\{ vars.KEY \}\} |
Registering Secrets
Workspace Level
Workspace-level secrets are available to all repositorys within the workspace.
Navigate to the workspace Settings page
Select Secrets from the left menu
Click Add Secret
Enter the name and value, then save
Secret values cannot be retrieved after saving. If you lose the value, you must register a new one.
Repository Level
Repository-level secrets are only available to pipelines within that repository.
Navigate to the repository Settings page
Select Secrets from the left menu
Click Add Secret
Enter the name and value, then save
Repository-level secrets take precedence over workspace-level secrets. If the same name exists at both levels, the repository-level value is used.
Commonly Used Secrets
| Secret Name | Purpose | Description |
|---|---|---|
GIT_SSH_PRIVATE_KEY | Git checkout | SSH private key (base64 encoded) |
GCP_SA_KEY | GCP authentication | Service account key JSON |
AWS_ACCESS_KEY_ID | AWS authentication | AWS Access Key |
AWS_SECRET_ACCESS_KEY | AWS authentication | AWS Secret Key |
SLACK_WEBHOOK | Notifications | Slack Incoming Webhook URL |
NPM_TOKEN | Package installation | npm registry auth token |
Registering Variables
Workspace Level
Navigate to the workspace Settings page
Select Variables from the left menu
Click Add Variable
Enter the name and value, then save
Repository Level
Navigate to the repository Settings page
Select Variables from the left menu
Click Add Variable
Enter the name and value, then save
Commonly Used Variables
| Variable Name | Purpose | Example Value |
|---|---|---|
DEPLOY_ENV | Deployment environment | production, staging |
AWS_REGION | AWS region | ap-northeast-2 |
GCP_PROJECT_ID | GCP repository | my-repository-123 |
GKE_CLUSTER | GKE cluster name | prod-cluster |
SLACK_CHANNEL | Notification channel | #deploy-notifications |
Naming Conventions
Use uppercase letters and _ by convention.
Allowed characters: [A-Z0-9_]
Examples: API_KEY, DB_PASSWORD, DEPLOY_ENV
Secrets and variables do not share the same namespace. You can register a secret and a variable with the same name, but it is recommended to use distinct names to avoid confusion.
Priority
When the same name is registered at multiple levels:
Repository Level > Workspace Level
(highest) (lowest)Using in Workflows
After registering secrets and variables, reference them in your Workflow YAML:
env:
# Variable reference
DEPLOY_ENV: "${{ vars.DEPLOY_ENV }}"
REGION: "${{ vars.AWS_REGION }}"
jobs:
deploy:
steps:
- name: deploy
run: ./deploy.sh
env:
# Secret reference
API_KEY: "${{ secrets.API_KEY }}"
DEPLOY_TOKEN: "${{ secrets.DEPLOY_TOKEN }}"For detailed usage, see the CI/CD Environment Variables documentation.