Naming your secrets
提示
To help ensure that GitHub redacts your secrets in logs correctly, avoid using structured data as the values of secrets.
The following rules apply to secret names:
- 只能包含字母数字字符(
[a-z]、[A-Z]、[0-9])或下划线 (_)。 不允许空格。 - 不得以
GITHUB_前缀开头。 - 不能以数字开头。
- 引用时不区分大小写。 无论输入格式如何,GitHub 始终以大写形式存储机密名称。
- 在创建的仓库、组织或企业中必须是唯一的。
如果具有相同名称的机密存在于多个级别,则级别最低的机密优先。 例如,如果组织级别密码的名称与仓库级别的密码相同,则仓库级别的密码优先。 Similarly, if an organization, repository, and environment all have a secret with the same name, the environment-level secret takes precedence.
Limits for secrets
You can store up to 1,000 organization secrets, 100 repository secrets, and 100 environment secrets.
A workflow created in a repository can access the following number of secrets:
- All 100 repository secrets.
- If the repository is assigned access to more than 100 organization secrets, the workflow can only use the first 100 organization secrets (sorted alphabetically by secret name).
- All 100 environment secrets.
Secrets are limited to 48 KB in size. To store larger secrets, see 在 GitHub Actions 中使用机密.
When GitHub Actions reads secrets
Organization and repository secrets are read when a workflow run is queued, and environment secrets are read when a job referencing the environment starts.
Automatically redacted secrets
GitHub automatically redacts the following sensitive information from workflow logs.
- 32-byte and 64-byte Azure keys
- Azure AD client app passwords
- Azure Cache keys
- Azure Container Registry keys
- Azure Function host keys
- Azure Search keys
- Database connection strings
- HTTP Bearer token headers
- JWTs
- NPM author tokens
- NuGet API keys
- v1 GitHub installation tokens
- v2 GitHub installation tokens (
ghp,gho,ghu,ghs,ghr) - v2 GitHub PATs