How to import private data with GitHub actions?

Question

I'm working on a Node project involving several API keys. I stored the API keys in a configuration file config.js. Then I added config.js to .gitignore so that the API keys aren't revealed in the public repository. But when I try to npm run build with GitHub actions, there's an import error because config.js isn't in the repository.

Can I "simulate" config.js somehow on GitHub? Or should I setup an action to download config.js from elsewhere? Is there a better approach?

I'm using GitHub's boilerplate nodejs.yml:

name: Node CI

on: [push]

jobs:
  build:

    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [8.x, 10.x, 12.x]

    steps:
    - uses: actions/checkout@v1
    - name: Use Node.js ${{ matrix.node-version }}
      uses: actions/setup-node@v1
      with:
        node-version: ${{ matrix.node-version }}
    - name: npm install, build, and test
      run: |
        npm install
        npm run build --if-present
      env:
        CI: true

I'm fairly new to CI/CD. Thanks in advance!

UPDATE: I solved this problem using the accepted answer below. I stored config.js in a secret variable config on GitHub. Then I added a step in the workflow that creates config.js before it's needed:

  ...
    - name: create config.js
      run: echo '${{ secrets.config }}' > path/to/config.js
    - name: npm install, build, and test
  ...

Answer 1

You could declare your key as a secret in GitHub Actions under the name you want (for instance 'my_secret_key')
See also "Creating and using secrets (encrypted variables)"

Said key can be referenced in your config.js as a variable $my_secret_key.