github_secrets_guide
Learn how to use GitHub Secrets to securely store and manage sensitive data in your CI/CD workflows. This guide explains common patterns for implementing secrets in GitHub Actions.
Instructions
Explain GitHub Secrets and common patterns
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Implementation Reference
- src/index.js:1998-2091 (registration)Registration of the 'github_secrets_guide' tool via server.tool() call. Includes empty parameter schema {} and inline handler function.
"github_secrets_guide", "Explain GitHub Secrets and common patterns", {}, async () => { return { content: [{ type: "text", text: `GITHUB SECRETS GUIDE ==================== WHAT ARE SECRETS? ----------------- Encrypted environment variables for your GitHub Actions workflows. They're never exposed in logs or to forked repositories. TYPES OF SECRETS: ----------------- 1. Repository Secrets - Available to all workflows in the repo - Set via: gh secret set NAME 2. Environment Secrets - Tied to deployment environments (staging, production) - Can require approval before use - Set via: gh secret set NAME --env production 3. Organization Secrets - Shared across multiple repos - Set in org settings BUILT-IN SECRETS (no setup needed): ----------------------------------- - GITHUB_TOKEN: Auto-generated, used for GitHub API calls Permissions: read repo, write packages, etc. COMMON SECRETS TO SET UP: ------------------------- Docker Hub: gh secret set DOCKER_USERNAME gh secret set DOCKER_PASSWORD AWS: gh secret set AWS_ACCESS_KEY_ID gh secret set AWS_SECRET_ACCESS_KEY gh secret set AWS_REGION Database: gh secret set DATABASE_URL API Keys: gh secret set API_KEY gh secret set SONAR_TOKEN SSH Deploy: gh secret set SSH_PRIVATE_KEY USING SECRETS IN WORKFLOWS: --------------------------- \`\`\`yaml jobs: deploy: runs-on: ubuntu-latest steps: - name: Login to Docker Hub uses: docker/login-action@v3 with: username: \${{ secrets.DOCKER_USERNAME }} password: \${{ secrets.DOCKER_PASSWORD }} - name: Deploy run: ./deploy.sh env: DATABASE_URL: \${{ secrets.DATABASE_URL }} API_KEY: \${{ secrets.API_KEY }} \`\`\` SECURITY BEST PRACTICES: ------------------------ 1. Never commit secrets to code (use .env.example instead) 2. Rotate secrets regularly 3. Use environment secrets for production 4. Limit secret access with environments + required reviewers 5. Use OIDC for cloud providers when possible (no long-lived secrets) QUICK COMMANDS: --------------- List secrets: gh secret list Set secret: gh secret set SECRET_NAME Delete secret: gh secret delete SECRET_NAME Set for env: gh secret set SECRET_NAME --env production` }] }; } ); - src/index.js:2002-2089 (handler)Handler implementation: Returns a static markdown-formatted guide explaining GitHub Secrets, their types, usage, best practices, and common commands.
return { content: [{ type: "text", text: `GITHUB SECRETS GUIDE ==================== WHAT ARE SECRETS? ----------------- Encrypted environment variables for your GitHub Actions workflows. They're never exposed in logs or to forked repositories. TYPES OF SECRETS: ----------------- 1. Repository Secrets - Available to all workflows in the repo - Set via: gh secret set NAME 2. Environment Secrets - Tied to deployment environments (staging, production) - Can require approval before use - Set via: gh secret set NAME --env production 3. Organization Secrets - Shared across multiple repos - Set in org settings BUILT-IN SECRETS (no setup needed): ----------------------------------- - GITHUB_TOKEN: Auto-generated, used for GitHub API calls Permissions: read repo, write packages, etc. COMMON SECRETS TO SET UP: ------------------------- Docker Hub: gh secret set DOCKER_USERNAME gh secret set DOCKER_PASSWORD AWS: gh secret set AWS_ACCESS_KEY_ID gh secret set AWS_SECRET_ACCESS_KEY gh secret set AWS_REGION Database: gh secret set DATABASE_URL API Keys: gh secret set API_KEY gh secret set SONAR_TOKEN SSH Deploy: gh secret set SSH_PRIVATE_KEY USING SECRETS IN WORKFLOWS: --------------------------- \`\`\`yaml jobs: deploy: runs-on: ubuntu-latest steps: - name: Login to Docker Hub uses: docker/login-action@v3 with: username: \${{ secrets.DOCKER_USERNAME }} password: \${{ secrets.DOCKER_PASSWORD }} - name: Deploy run: ./deploy.sh env: DATABASE_URL: \${{ secrets.DATABASE_URL }} API_KEY: \${{ secrets.API_KEY }} \`\`\` SECURITY BEST PRACTICES: ------------------------ 1. Never commit secrets to code (use .env.example instead) 2. Rotate secrets regularly 3. Use environment secrets for production 4. Limit secret access with environments + required reviewers 5. Use OIDC for cloud providers when possible (no long-lived secrets) QUICK COMMANDS: --------------- List secrets: gh secret list Set secret: gh secret set SECRET_NAME Delete secret: gh secret delete SECRET_NAME Set for env: gh secret set SECRET_NAME --env production` }] };