Cheat Sheet logoCheat Sheet Today
GitHub Actions: Secrets, Permissions, Security, and OIDC/Expose a secret as an environment variable

Use the `secrets` context in step env.

Back to sheetBrowse commands
Sign in to save
Section: Permissions and secrets

Expose a secret as an environment variable

yaml
yaml
- name: Login
  env:
    API_TOKEN: ${{ secrets.API_TOKEN }}
  run: ./scripts/login.sh
Explanation

Secrets are automatically masked in logs, but still avoid printing them.

View in sheet →

Learn the surrounding workflow

Compare similar commands or jump into common fixes when this command is part of a bigger troubleshooting path.

Compare commandsView fixes

Related commands

Same sheet · prioritizing Permissions and secrets
Set least-privilege token permissions
Limit the default GITHUB_TOKEN scope.
OpenIn sheetyamlsame section
Grant write access only where needed
Elevate token permissions on a specific job.
OpenIn sheetyamlsame section
Mask a dynamic sensitive value
Hide a generated or fetched secret from logs.
OpenIn sheetbashsame section
Use protected environments for deploys
Require approval and environment-scoped secrets.
OpenIn sheetyamlsame section
Enable OIDC token issuance
Grant `id-token: write` when using cloud federation.
OpenIn sheetyaml
Configure AWS credentials via OIDC
Use the AWS credentials action without long-lived keys.
OpenIn sheetyaml