Secret File for Config Settings and/or Environment Variables?


I have an application that reads a bunch of ENV variables from a file.  Mostly API keys used during integration testing that I don’t want in the repo.  I would prefer to not have to set each of these ENV variables as a seperate secret variable.  Is there a way to save a file, say a .env file, as a secret then load that file during the run?  In my case my application will read and set the ENV variables from the file.

Something similar to how Jenkins lets you store secret files?


You just need to load your variables into the github virtual environment.  e.g. export in whatever languages/tools of your choices.  e.g. dotenv for javascript or in bash just _export $(<.env) _inside one of your steps. (as long as they are in the same job they will be in the same environment).

Hello @anthonywc.   How do I get the file with my environment variables into the virtual environment if it’s not in the repository?  The file has API keys that I don’t want to add to the repository.  Thank you.

Hi @mrbiggred,

We don’t have that capability currently.

We do have an API coming soon for setting secrets. That could be used for setting large numbers of secrets programmatically.

Sorry we don’t have an exact solution for you. Hopefully the API makes this workflow possible for you though. 


Thank you @smscodeverification for answing my question even it it was not he answer I wanted to hear.  Also thnk you letting me know about the upcoming API.  All the best.

You can store your secrets inside repository encrypted with ‘gpg’ tool and decrypt them as a step in workflow job

a similar solution is described here

Any updates on this issue?

Can’t we store content of .env file in a secret variable ENV_FILE and then create a step to create .env file from secrets,

- name: Create .env file
   run:  echo "${{ secrets.ENV_FILE }}" > .env

Then may be delete .env file later